New Delhi: In the world of cyber espionage, a lot of effort is expended to hide cyber tracks so that the identity of the attacker is masked. That is why, a few Indian cybersecurity experts believe North Korea may not be behind the October 28, 2019, cyberattack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu’s Tirunelveli district.
A former official of the National Technical Research Organisation (NTRO), India’s prime spy agency for providing technical intelligence on internal and external security, said deception and subterfuge is the name of the game in cyber espionage.
“In such a situation, what seems obvious may not be the reality. A prime concern of every attacker is to hide its footprints and also misguide and mislead. Even friendly countries spy and then try to hide their tracks,” he said on condition of anonymity.
Echoing the same line of thought, Muslim Koser, co-founder and head (Technology), Volon Cyber Security, told ETV Bharat: “There is a possibility North Korea might not be behind this attack, as widely speculated in the media and that Lazarus group might be behind this attack. Traditionally the motive of this group has been cybercrime or financial theft, where they have predominantly targeted financial institutions and big corporations, whereas, in Kudankulam, the motive is entirely different (more towards data/information theft), although of late they (Lazarus) have been touted as to move towards cyber espionage type of motivation. But still, there is no concrete evidence for the same.”
Volon is among India’s top private cybersecurity firms offering specialized solutions for corporates and governments to counter and combat cyber threat.
“Normally in cyber espionage, operational security to ensure it is not attributable as of paramount importance. In general, inexperienced groups always use same or similar TTP (tools, tactics, procedures) that make their work easily recognizable. But actors also try and re-use the infrastructure or TTP of other groups to misguide the attribution,” Koser adds.
Pukhraj Singh, a former NTRO employee, had first tweeted about the attack on a KKNPP server computer (domain controller). Apparently, an online virus called 'DTRACK', developed by the North Korean hacking group called Lazarus was behind the attack. The virus extracts information from remote locations.
According to Russian cybersecurity firm Kaspersky that often collaborates with the Indian government on cybersecurity issues: “Dtrack can be used as a remote admin tool (RAT), giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes.”
Kaspersky was the first entity to have discovered Dtrack that had been 'spotted in Indian financial institutions and research centres'.
Till the time of filing of this report, Kaspersky had not responded to mailed queries.
In today’s world, cyber espionage and counter-espionage is a continuous process and there are no friends. In this type of targeting, the idea is to get a steady flow of information without getting detected. Normally actors do not try to hinder or harm the systems, they silently try to extract information /data.
One reason why footprints are made invisible is that friendly nations are also targets. “In this process, they are gathering intelligence by stealing information and not causing any harm, hence any such intelligence is of paramount importance,” Koser says.
Read:| Shorter hours boost sales in overworked Japan: Microsoft
