Political Parties, Risk and Degrees of Attacks
This week we will take a look at a slightly older news item which has become significantly interesting due to more recent developments. On March 5th 2019, the Bharatiya Janata Party - India’s currently governing party - saw it’s official website defaced in a hack. In this briefing we will take a look at the difference between defacements and more serious attacks as well as the difference between hard and soft targets.
What is a defacement?
A defacement is a type of cyberattack where contents - usually on websites - are replaced with contents chosen by the attacker. Importantly, the new contents aren’t malicious payloads or small-yet-critical changes but rather mocking or offensive texts and images. The goal of defacement is to make the attacked party lose face by highlighting their weak security capabilities while spreading the attacker’s message.
Defacement attacks are extremely common - especially in political and sociological contexts.
Is a political party’s website a hard target?
In previous briefings we have often discussed hard and soft targets. Hard targets include secure communications channels, government networks and military networks among others. Public websites of political parties however do not commonly qualify as hard targets. Apart from their public image, official political party websites contain very little valuable assets. For example, they usually do not tie into actual governmental systems or allow users to log-in. To make a comparison to more tangible objects - the difference between a political party’s internal network and its public homepage is similar to that between it’s internal strategy papers and its election posters. The former are much more important and thus kept much more secure than the latter.
Why hasn’t the website come back online?
At the point of writing, the BJP’s website has been offline for more than 10 days. This is unusual as defacements are usually not hard to recover from. According to reporting by NDTV, party officials have stated that:
"The website could have been brought back up in matter of hours. But we decided to use the bugging as an opportunity to complete a plan to revamp it. The plan had been in place for two to three months. The site's technology had not been upgraded for five years." [sic]
This statement rings half-true. It would be more common to bring an older version of the site back online while maintenance is performed. However, if the attacked party cannot be sure that the recovered site won’t immediately be hacked again, a longer downtime and upgrade cycle become worthwhile.
The last sentence of the statement however is telling: In terms of information security, 5 years without updates is an eternity. It is likely that at the time of the hack, dozens of publicly known vulnerabilities were open to be abused. The defenses of the website were thus - in practical terms - non existent.