The defacement of political party websites is nothing new, but what motivates them can be dynamic, as Indian Prime Minister Modi found out two days before an official visit to the United States. But since then, media have made the idea of the Indian Hacker increasingly more popular.
First Published 18th March 2019 | Latest Refresh 23rd November 2021
Some people will vote, and some people will hack.
4 min read | Reflare Research Team
Incredible India
In this report, we will take a look at someone slightly older (but high profile) news item which has become significantly interesting due to more recent developments, as well as the reported rise of India as a hacking centre.
We will start on March 5th 2019, the Bharatiya Janata Party - India’s currently governing party - saw its official website defaced in a hack. We will take a look at the difference between defacements and more serious attacks as well as the difference between hard and soft targets.
What is defacement?
Defacement is a type of cyberattack where contents - usually on websites - are replaced with contents chosen by the attacker. Importantly, the new contents aren’t malicious payloads or small-yet-critical changes but rather mocking or offensive texts and images. The goal of defacement is to make the attacked party lose face by highlighting their weak security capabilities while spreading the attacker’s message.
Defacement attacks are extremely common - especially in political and sociological contexts.
Is a political party’s website a hard target?
In previous briefings, we have often discussed hard and soft targets. Hard targets include secure communications channels, government networks and military networks among others. Public websites of political parties however do not commonly qualify as hard targets. Apart from their public image, official political party websites contain very few valuable assets. For example, they usually do not tie into actual governmental systems or allow users to log-in. To make a comparison to more tangible objects - the difference between a political party’s internal network and its public homepage is similar to that between its internal strategy papers and its election posters. The former is much more important and thus kept much more secure than the latter.
Take your time
The BJP’s website was offline for more than 10 days. This is unusual as defacements are usually not hard to recover from. According to reporting by NDTV, party officials have stated that:
"The website could have been brought back up in a matter of hours. But we decided to use the bugging as an opportunity to complete a plan to revamp it. The plan had been in place for two to three months. The site's technology had not been upgraded for five years." [sic]
This statement rings half-true. It would be more common to bring an older version of the site back online while maintenance is performed. However, if the attacked party cannot be sure that the recovered site won’t immediately be hacked again, a longer downtime and upgrade cycle becomes worthwhile.
The last sentence of the statement however is telling: In terms of information security, 5 years without updates is an eternity. It is likely that at the time of the hack, dozens of publicly known vulnerabilities were open to being abused. The defences of the website were thus - in practical terms - non existent.
While you were waiting for the site to load
Since the BJP breach, a domestic matter, various countries have started pointing at India as the origin of increased hacking activity on the international stage. One of the more notable assertions comes from a report published by Anity Labs, a well-renowned cyber security company based in China.
The report states that a number of cyber attacks against Chinese and Pakistani government agencies and military departments have come from a group called You Xiang (english translation: Baby Elephant) based in New Delhi.
One technique reported is that Baby Elephant disguise itself as the mail system of the Nepalese Ministry of Foreign Affairs and the Prime Minister's office, and it is from there they launch their attacks.
Another technique is that they pretended to be an Andriod polling application for the India/Nepal territorial. Once the malicious app is installed, the application asks for system permissions from users, and when permission is granted, it monitors the victim's phone activity.
The footprints of a baby elephant
But since the publication of the Anity Labs report, more governments are coming forward with details of breaches that match those of Baby Elephant. Nepal and Afghanistan also report similar attacks that have the same characteristics (malicious HTA scrips and Python Trojan horses) as those used on China in Pakistan.
The rise of the 'Indian hacker' is becoming more prominent. As reported by one media outlet, "Multiple signs show that baby elephant has already become one of the most active and mature cyber attack organisations that threaten the cyber security of South Asia and Asia-Pacific."
Attacks can come from anywhere. Therefore, it is vital that your organisation be vigilant when it comes to developing its cyber security awareness. Furthermore, cyber security attack techniques are ever evolving. To stay updated with the latest breach techniques, consider subscribing to the Reflare Research Newsletter, and review some of the relevant research articles on the topic below. Namaste.