Thursday, March 9, 2017

Has Pakistan Developed Cyber Attack and Defense Capabilities?

Recent reports of Russian hacks of the American Democratic Party's election campaign staff to influence the outcome of US elections have brought international cyber espionage in sharp focus once again. How many nations have such capabilities? What are their names? Are India and Pakistan among them?

Pakistan is believed to be among a couple of dozen nations with serious cyber espionage capabilities. This belief has been strengthened among the cyber security community since Operation Arachnophobia is suspected to have originated in Pakistan.

Bloodmoney: A Novel of Espionage:

Washington Post columnist David Ignatius frequently writes about the activities of intelligence agencies and often cites "anonymous" intelligence sources to buttress his opinions. He is also a novelist who draws upon his knowledge to write spy thrillers.

Ignatius's 2011 fiction "Bloodmoney: A Novel of Espionage" features a computer science professor Dr. Omar who teaches at a Pakistani university as the main character. Omar, born in  Pakistan's tribal region of South Waziristan, is a cyber security expert. One of Omar's specialties is his deep knowledge of SWIFT, a network operated by Society for Worldwide Interbank Financial Telecommunication that tracks all international financial transactions, including credit card charges.

Omar's parents and his entire family are killed in a misdirected US drone strike. Soon after the tragedy,  several undercover CIA agents are killed within days after their arrival in Pakistan.  American and Pakistani investigations seek the professor's help to solve these murders. Ignatius's novel ends with the identification of the professor as the main culprit in the assassinations of CIA agents.

Operation Arachnophobia:

In 2014, researchers from FireEye, a Silicon Valley cyber security company founded by a Pakistani-American,  and ThreatConnect teamed up in their investigation of "Operation Arachnophobia" targeting Indian computers. It features a custom malware family dubbed Bitterbug that serves as the backdoor for stealing information. Though the researchers say they have not identified the specific victim organizations, they have spotted malware bundled with decoy documents related to Indian issues, according to

The reason it was dubbed "Operation Arachnophobia" has to do with the fact that variants of the Bitterburg malware detected by the researchers included build paths containing the strings “Tranchulas” and “umairaziz27”, where Tranchulas is the name of an Islamabad-based Pakistani security firm and Umair Aziz is one of its employees.

Operation Hangover:

Operation Arachnophobia targeted Indian officials. It appears to have been Pakistan's response to India's Operation Hangover that targeted Pakistan. Investigations by  Norway-based security firm Norman have shown that the Operation Hangover attack infrastructure primarily was used as a means to extract security-related information from Pakistan and, to a lesser extent, China.

"Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns," said Jean Ian-Boutin, malware researcher at ESET security company. "Publicly available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work."

Attack Easier Than Defense:

The fact that cyber attacks so often succeed suggests that it's easier to attack a system than to defend it.  By the time such attacks are detected, it's already too late. A lot of valuable information has already been lost to attackers.

However, it's still very important to possess the cyberattack capability as a deterrent to attacks. Those who lack the capacity to retaliate invite even more brazen cyberattacks.

Need for International Treaties:

Cyberattacks on infrastructure can have disastrous consequences with significant loss of human life. Disabling power grids and communication networks can hurt a lot of people and prevent delivery of aid to victims of disaster. It's important that nations work together to agree on some norms for what is permissible and what is not before there is a catastrophe.


About 30 nations, including US, UK, France, Germany, Russia, China, India, Iran, Israel and Pakistan, possess cyber espionage and attack capabilities.  Growth and proliferation of such technologies present a serious threat to world peace.  There is an urgent need for nations of the world to come together to agree on reasonable restrictions to prevent disasters.

Haq's Musings

Revolution in Military Affairs: Cyberweapons and Robots

Cyber Warfare

Pakistani-American Founder of Fireeye Cyber Firm

Pakistan Boosts Surveillance to Fight Terror

Pakistan's Biometric Registration Database

Operation Zarb e Azb Launch

Ex Indian Spy Documents RAW's Successes in Pakistan

Intelligence Failures in Preventing Daily Carnage in Pakistan

What If Musharraf Had Said NO to US After 911?

Pakistani Computer Scientist Fights Terror

Pakistani Killer Drones to Support Anti-Terror Campaign

3G 4G Rollout Spurs Data Services Boom in Pakistan

Fiber Optic Connectivity in Pakistan


Riaz Haq said...


A NEW REPORT from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.

The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.

Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.

Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.

Rand’s researchers found that there was no pattern around which exploits lived a long or short life — severe vulnerabilities were not more likely to be fixed quickly than minor ones, nor were vulnerabilities in programs that were more widely available.

“The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for [in the gray market] — are likely old,” write lead researchers Lillian Ablon and Andy Bogart in their paper “Zero Days, Thousands of Nights.”

Rand, a nonprofit research group, is the first to study in this manner a database of exploits that are in the wild and being actively used in hacking operations. Previous studies of zero days have used manufactured data or the vulnerabilities and exploits that get submitted to vendor bug bounty programs — programs in which software makers or website owners pay researchers for security holes found in their software or websites.

The database used in the study belongs to an anonymous company referred to in the report as “Busby,” which amassed the exploits over 14 years, going back to 2002. Busby’s full database actually has around 230 exploits in it, about 100 of which are still considered active, meaning they are unknown to the software vendors and therefore no patches are available to fix them. The Rand researchers only had access to information on 207 zero days — the rest are recently discovered exploits the company withheld from Rand’s set “due to operational sensitivity.”

While it’s not known how many of these exploits are in the U.S. government’s arsenal, Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs, believes the U.S. government’s zero-day stockpile is comparable in size to Busby’s.

Anonymous said...

Actually, Pakistan has more to worry. Pakistan's critical infrastructure runs on Chinese manufactured devices containing Chinese firmwares. Like Pakistan's mobile network. Or Internet routers. Chinese firmwares are usually poorly written with gaping holes like never seen before. Few example are ZTE and Huwei. Modems and Routers produced by these firms are riddled with very easy to exploit bugs. My favourite one is a DoS attack involving invoking reboot.cgi. Chinese are so careless with their firmware that they do not even check for authorized session. A script kidde can bring entire bank to halt if they were using Chinese modems to connect to internet.

Riaz Haq said...

Anon: " Like Pakistan's mobile network. Or Internet routers. Chinese firmwares are usually poorly written with gaping holes like never seen before. Few example are ZTE and Huwei. "

Both ZTE and Huawei have huge market share all over the world. Here's a BT report:

"n 2011/12, Huawei was ahead of Ericsson and Nokia Siemens Network (NSN), the European telecom equipment makers which have long held the top two spots in the country by revenues. But the first few years were full of hurdles for both Huawei and ZTE, also a Chinese telecom equipment maker. European companies such as NSN, Ericsson and Alcatel Lucent had been operating in India for decades and were trusted. There was a widespread perception that Chinese products would be of inferior quality."

And Europe is using a lot of Chinese telecom equipment:

A second strategy, exemplified by telecoms equipment maker Huawei Technologies, is a straightforward effort to raise margins by diversifying out of the low-margin Chinese market into higher-margin foreign ones. Huawei has derived more than half its sales from abroad for over a decade, and has gradually increased its presence in European markets, in part through loose alliances with major clients such as BT, Orange, Deutsche Telekom, and Telef√≥nica. It has also moved quickly into the device sector. From tablets to smartphones and 3G keys, its products are now spreading across Europe, as are its greenfield investments in European R&D centers. Its efforts to expand through M&A have been hampered by its image as an arm of the Chinese state—although privately owned, it has benefited from huge lines of credit from Chinese policy banks, and has never put to rest rumors of close ties with the People’s Liberation Army.

Abdul Jabbar said...

Pakistan has large number of hackers and has capability to respond to any threat.

Riaz Haq said...

Can Cyber Warfare Be Deterred? by Joseph Nye

Fear of a “cyber Pearl Harbor” first appeared in the 1990s, and for the past two decades, policymakers have worried that hackers could blow up oil pipelines, contaminate the water supply, open floodgates and send airplanes on collision courses by hacking air traffic control systems. In 2012, then-US Secretary of Defense Leon Panetta warned that hackers could “shut down the power grid across large parts of the country.”
None of these catastrophic scenarios has occurred, but they certainly cannot be ruled out. At a more modest level, hackers were able to destroy a blast furnace at a German steel mill last year. So the security question is straightforward: Can such destructive actions be deterred?
The Year Ahead 2017 Cover Image
It is sometimes said that deterrence is not an effective strategy in cyberspace, because of the difficulties in attributing the source of an attack and because of the large and diverse number of state and non-state actors involved. We are often not sure whose assets we can hold at risk and for how long.
Attribution is, indeed, a serious problem. How can you retaliate when there is no return address? Nuclear attribution is not perfect, but there are only nine states with nuclear weapons; the isotopic identifiers of their nuclear materials are relatively well known; and non-state actors face high entry barriers.
None of this is true in cyberspace where a weapon can consist of a few lines of code that can be invented (or purchased on the so-called dark web) by any number of state or non-state actors. A sophisticated attacker can hide the point of origin behind the false flags of several remote servers.
While forensics can handle many “hops” among servers, it often takes time. For example, an attack in 2014 in which 76 million client addresses were stolen from JPMorgan Chase was widely attributed to Russia. By 2015, however, the US Department of Justice identified the perpetrators as a sophisticated criminal gang led by two Israelis and an American citizen who lives in Moscow and Tel Aviv.
Attribution, however, is a matter of degree. Despite the dangers of false flags and the difficulty of obtaining prompt, high-quality attribution that would stand up in a court of law, there is often enough attribution to enable deterrence.
For example, in the 2014 attack on SONY Pictures, the United States initially tried to avoid full disclosure of the means by which it attributed the attack to North Korea, and encountered widespread skepticism as a result. Within weeks, a press leak revealed that the US had access to North Korean networks. Skepticism diminished, but at the cost of revealing a sensitive source of intelligence.
Prompt, high-quality attribution is often difficult and costly, but not impossible. Not only are governments improving their capabilities, but many private-sector companies are entering the game, and their participation reduces the costs to governments of having to disclose sensitive sources. Many situations are matters of degree, and as technology improves the forensics of attribution, the strength of deterrence may increase.
Moreover, analysts should not limit themselves to the classic instruments of punishment and denial as they assess cyber deterrence. Attention should also be paid to deterrence by economic entanglement and by norms.
Economic entanglement can alter the cost-benefit calculation of a major state like China, where the blowback effects of an attack on, say, the US power grid could hurt the Chinese economy. Entanglement probably has little effect on a state like North Korea, which is weakly linked to the global economy. It is not clear how much entanglement affects non-state actors. Some may be like parasites that suffer if they kill their host, but others may be indifferent to such effects.

Riaz Haq said...

As for norms, major states have agreed that cyber war will be limited by the law of armed conflict, which requires discrimination between military and civilian targets and proportionality in terms of consequences. Last July, the United Nations Group of Government Experts recommended excluding civilian targets from cyberattacks, and that norm was endorsed at last month’s G-20 summit.
It has been suggested that one reason why cyber weapons have not been used more in war thus far stems precisely from uncertainty about the effects on civilian targets and unpredictable consequences. Such norms may have deterred the use of cyber weapons in US actions against Iraqi and Libyan air defenses. And the use of cyber instruments in Russia’s “hybrid” wars in Georgia and Ukraine has been relatively limited.
The relationship among the variables in cyber deterrence is a dynamic one that will be affected by technology and learning, with innovation occurring at a faster pace than was true of nuclear weapons. For example, better attribution forensics may enhance the role of punishment; and better defenses through encryption may increase deterrence by denial. As a result, the current advantage of offense over defense may change over time.

Cyber learning is also important. As states and organizations come to understand better the importance of the Internet to their economic wellbeing, cost-benefit calculations of the utility of cyber warfare may change, just as learning over time altered the understanding of the costs of nuclear warfare.
Unlike the nuclear age, when it comes to deterrence in the cyber era, one size does not fit all. Or are we prisoners of an overly simple image of the past? After all, when nuclear punishment seemed too draconian to be credible, the US adopted a conventional flexible response to add an element of denial in its effort to deter a Soviet invasion of Western Europe. And while the US never agreed to a formal norm of “no first use of nuclear weapons,” eventually such a taboo evolved, at least among the major states. Deterrence in the cyber era may not be what it used to be, but maybe it never was

Riaz Haq said...

America must defend itself against the real national security menace

by Fareed Zakaria

1. Punishment
2. Defense
3. Taboo

Since the North Korean government’s 2014 attacks on Sony Pictures Entertainment, many in the intelligence community, including Adm. Michael S. Rogers, have warned that “we’re at a tipping point.” Rogers, head of the National Security Agency and U.S. Cyber Command, testified to Congress in 2015 that the country had no adequate deterrent against cyberattacks. He and many others have argued for an offensive capacity forceful enough to dissuade future threats.

But the digital realm is a complex one, and old rules will not easily translate. The analogy that many make is to nuclear weapons. In the early Cold War, that new category of weaponry led to the doctrine of deterrence, which in turn led to arms-control negotiations and other mechanisms to foster stable, predictable relations among the world’s nuclear powers.

But this won’t work in the cyber realm, Joseph Nye says in an important new essay in the journal International Security. First, the goal of nuclear deterrence has been “total prevention” — to avert a single use of nuclear weapons. Cyberattacks happen all the time, everywhere. The Defense Department reports getting 10 million attacks a day. Second, there is the problem of attribution. Nye quotes defense official William Lynn, who observed in 2010, “Whereas a missile comes with a return address, a computer virus generally does not.” That’s why it is so easy for the Russian government to deny any involvement with the hacking against the Democratic National Committee. It is hard to establish ironclad proof of the source of any cyberattack — which is a large part of its attractiveness as an asymmetrical weapon.

Nye argues that there are four ways to deal with cyberattacks: punishment, entanglement, defense and taboos. Punishment involves retaliation, and although it is worth pursuing, both sides can play that game, and it could easily spiral out of control.

Entanglement means that if other countries were to harm the United States, their own economies would suffer. It strikes me as of limited value because there are ways to attack the United States discreetly without shooting oneself in the foot (as Russia has shown recently, and as Chinese cybertheft of intellectual property shows as well). And it certainly wouldn’t deter groups such as the Islamic State, al-Qaeda or even WikiLeaks.

The other two strategies merit more consideration. Nye contends that the United States should develop a serious set of defenses, beyond simply governmental networks, that are modeled on public health. Regulations and information would encourage the private sector to follow some simple rules of “cyber hygiene” that could go a long way toward creating a secure national network. This new system of defenses should become standard in the digital world.

The final strategy Nye suggests is to develop taboos against certain forms of cyberwarfare. He points out that after the use of chemical weapons in World War I, a taboo grew around their use, was enacted into international law and has largely held for a century. Similarly, in the 1950s, many strategists saw no distinction between tactical nuclear weapons and “normal” weapons. Gradually, countries came to shun any use of nuclear weaponry, a mutual understanding that has also survived for decades. Nye recognizes that no one is going to stop using cyber-tools but believes that perhaps certain targets could be deemed off-limits, such as purely civilian equipment.

Of course, the development of such norms would involve multilateral negotiations, international forums, rules and institutions, all of which the Trump administration views as globaloney. But at least it is working hard to prevent Yemeni tourists from entering the country.

Riaz Haq said...

Wikileaks reveal #American #Spy Agency #NSA #Cyber Weapons Used to Hack #Pakistan mobile system via @techjuicepk

New information about the involvement of US in hacking Pakistan mobile system has been found in a release by Wikileaks. This leak points to NSA’s cyber weapons which include code related to hacking of Pakistan mobile system.

NSA’s interest in Pakistan
NSA, National Security Agency responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes in the USA, has allegedly spied on Pakistani civilian and military leadership in the past. Edward Snowden, a former NSA employee, has also suggested in the past that NSA used wiretapping and cyber weapons to spy on many international leaders.

Scope of new information
On Saturday, Wikileaks revealed hundreds of cyber weapons variants which include code pointing towards NSA hacking Pakistan mobile system.

The link shared in the tweet by Wikileaks’ official account points to a Github repository containing the decrypted files pertaining to NSA cyber weapons. A complete analysis of these files by a cyber security expert is needed to further highlight the severity of the situation. Initial impressions, however, seem to indicate that these leaks will certainly provide more substance to previous allegations against NSA.

Riaz Haq said...

#Cyberattack Hits #Ukraine Then Spreads Internationally. #NSA #hackingtool #WannaCry #Petya #Russia

Computer systems from Ukraine to the United States were struck on Tuesday in an international cyberattack that was similar to a recent assault that crippled tens of thousands of machines worldwide.

In Kiev, the capital of Ukraine, A.T.M.s stopped working. About 80 miles away, workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed. And tech managers at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.

It was unclear who was behind this cyberattack, and the extent of its impact was still hard to gauge Tuesday. It started as an attack on Ukrainian government and business computer systems — an assault that appeared to have been intended to hit the day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution after its break from the Soviet Union. The attack spread from there, causing collateral damage around the world.

The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the National Security Agency and leaked online in April by a group called the Shadow Brokers.

Like the WannaCry attacks in May, the latest global hacking took control of computers and demanded digital ransom from their owners to regain access. The new attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry episode, as well as two other methods to promote its spread, according to researchers at the computer security company Symantec.

The National Security Agency has not acknowledged its tools were used in WannaCry or other attacks. But computer security specialists are demanding that the agency help the rest of the world defend against the weapons it created.

“The N.S.A. needs to take a leadership role in working closely with security and operating system platform vendors such as Apple and Microsoft to address the plague that they’ve unleashed,” said Golan Ben-Oni, the global chief information officer at IDT, a Newark-based conglomerate hit by a separate attack in April that used the agency’s hacking tools. Mr. Ben-Oni warned federal officials that more serious attacks were probably on the horizon.

The vulnerability in Windows software used by Eternal Blue was patched by Microsoft in March, but as the WannaCry attacks demonstrated, hundreds of thousands of groups around the world failed to properly install the fix.

“Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president for security at Radware. “The more bureaucratic an organization is, the higher chance it won’t have updated its software.”

Because the ransomware used at least two other ways to spread on Tuesday — including stealing victims’ credentials — even those who used the Microsoft patch could be vulnerable and potential targets for later attacks, according to researchers at F-Secure, a Finnish cybersecurity firm, and others.

A Microsoft spokesman said the company’s latest antivirus software should protect against the attack.

The Ukrainian government said several of its ministries, local banks and metro systems had been affected. A number of other European companies, including Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency, also said they had been targeted.

Riaz Haq said...

The Opinion Pages | EDITORIAL

When Cyberweapons Go Missing

Twice in the past few months, powerful cyberattacks have wreaked havoc on the world, shutting down tens of thousands of computers, including critical machines in hospitals, a nuclear site and businesses. The attacks were initially thought to be schemes to collect ransom, but their goals — whether money, politics or just chaos — have become increasingly blurred. One thing seems clear: The weapons for the attack were developed by the National Security Agency and stolen from it.

That’s chilling. After the first attack, Brad Smith, the president of Microsoft, said the theft of the cyberweapons was equivalent to Tomahawk missiles’ being stolen from the military, and he issued a scathing critique of the government’s stockpiling of computer vulnerabilities. The N.S.A. has not only failed to assist in identifying the vulnerabilities its weapons were designed to exploit but has also not even acknowledged their existence or their theft.

It remains a mystery whether the N.S.A. knows how its weapons were stolen. What is known is that a group called Shadow Brokers started offering them for sale in August and made them public in April. It promised a fresh batch last month, offering them to monthly subscribers. Former intelligence officials said it was clear the weapons came from an N.S.A. unit formerly known as Tailored Access Operations.

Once publicly available, the weapons can be reconfigured for many purposes and used by anyone with some computer savvy. North Korea was thought to be a culprit in the first wave of attacks, and Russian hackers may have been behind the second. Other forces may be at work, too. A cybersecurity officer with the IDT Corporation in Newark, Golan Ben-Oni, has made waves with warnings that ransom demands could be a cover for far deeper invasions to steal confidential information.

Secrecy, of course, is the N.S.A.’s stock in trade, and acknowledging authorship of stolen cyberweapons runs counter to everything the spy agency does. A spokesman for the National Security Council at the White House was quoted as saying that the administration “is committed to responsibly balancing national security interests and public safety and security.”

Fixing this deadly serious problem is certain to be complex, but the task is urgent. The N.S.A. clearly needs to do a better job of safeguarding the cyberweapons it is developing and also neutralizing the damage their theft has unleashed. Microsoft, whose software vulnerabilities were exploited in the attacks, and companies that use its software will have to strengthen their defenses.

Beyond that, the federal government may want to offer grants as incentives to groups doing malware analysis. Once conclusively identified, the culprits behind the attacks must be penalized in some way, such as with sanctions. While the immediate focus needs to be on concrete responses, it is also worth thinking seriously about more global cooperation, such as the Digital Geneva Convention proposed by Microsoft as a way to prevent cyberwarfare.

Anonymous said...

Pakistan is currently lacking the offensive capability recent times an wave of immediate sense of insecurity is being felt in top brass. we need to address this issue on war-footing basis. The Cyber Threat Landscape already showing Pakistan as top targeted countries specially its industrial base highly vulnerable to ICS attacks.

Riaz Haq said...

IT ministry to come up with plan to ensure country’s cyber-security

Ministry of Information Technology has been entrusted with the responsibility to propose an appropriate organisation in order to ensure cyber-security of Pakistan.

The decision was taken during a high-level meeting on Thursday to develop a framework and way forward to coordinate and evolve a mechanism for country’s cyber-security.

National Security Adviser Nasser Khan Janjua chaired the meeting. National Security Division secretary, representatives from Ministry of Information and Broadcasting, Ministry of Information Technology, Pakistan Electronic Media Regulatory Authority (PEMRA), Pakistan Telecommunication Authority (PTA) and Federal Investigation Agency (FIA) attended the meeting.

Moreover, the Ministry of Information and Broadcasting will propose a mechanism that could chalk out a way forward towards the use of social media for a progressive Pakistan.

The meeting ended on a note that a next session would be scheduled soon to conclude the process of evolving a mechanism for ensuring cyber-security.

Riaz Haq said...

Ex-CIA officer arrested after US spy network is exposed in China
It was one of the worst intelligence failures for years

Andrew Buncombe New York @AndrewBuncombe a day ago


Last spring, The New York Times reported that as many as 20 US intelligence assets had been killed by China since 2010, destroying years worth of intelligence efforts in the country. One operative was allegedly shot and killed in front of his colleagues and his body left in the car park of a government building as a warning to others.

US officials described the losses as “one of the worst” intelligence breaches in decades, comparing it to the number of assets lost in the Soviet Union in the 1980s and 1990s, when two prominent US assets worked as double agents for the Soviets. Officials said the breach has destroyed years of network-building within the country.

The arrest of Mr Lee come as China is looking to increasingly spread its international influence – economically, diplomatically and militarily. At the same time, the US, under the America First strategy adopted by Donald Trump, appears to be retreating from many areas, such as the environment and international security, it once led.


A former CIA officer has been arrested and charged as part of an alleged espionage scandal investigators claim resulted in the collapse of the US spying network in China and the deaths or imprisonment of up to 20 agency informants.

Jerry Chun Shing Lee, 53, a naturalised US citizen, was arrested earlier this week after arriving at JFK International Airport in New York. Mr Lee, who currently lives in Hong Kong, appeared in court and was charged with illegally retaining classified records, including names and phone numbers of covert CIA assets.

Mr Lee, who served in the US Army from 1982-86, joined the CIA in 1994 and worked as a case officer trained in covert communications, surveillance detection, and the recruitment and the handling of assets.

“[Mr] Lee began working for the CIA as a case officer in 1994, maintained a Top Secret clearance and signed numerous non-disclosure agreements during his tenure at CIA,” according to a statement released by the US Department of Justice.

The arrest of Mr Lee, who has not offered a plea, is said to have marked the culmination for more than five years of intense counter-espionage operation launched by the FBI. That investigation was established in 2012, two years after the CIA started losing assets in China.

Reports in the US media said investigators were initially unsure whether the agency had been hacked by the Chinese authorities or whether the losses were the result of a mole.

According to an eight-page affidavit, Mr Lee, who left the CIA in 2007 and has been working for a well-known auction house, travelled from Hong Kong to northern Virginia, where he lived from 2012 to 2013 – apparently having been lured there with a fake job offer.

When he flew to Virginia, the FBI obtained a warrant to search Mr Lee’s luggage and hotel room. The court documents say agents found two small books with handwritten notes containing names and numbers of covert CIA employees and locations of covert facilities.

Mr Lee left the US in 2013 after being questioned on five different occasions by FBI agents. He never mentioned his possession of the books containing classified information, say the court documents.

The FBI affidavit makes no allegations of espionage against Mr Lee, only alleging illegal retention of documents. Any conviction on that offence carries a maximum penalty of 10 years in prison.

Riaz Haq said...

Malware allegedly designed by Pakistani hackers has become stronger: experts
GravityRAT, a malware allegedly designed by Pakistani hackers, has recently been updated further and equipped with anti-malware evasion capabilites, Maharashtra cybercrime officials said.

The RAT was first detected by Indian Computer Emergency Response Team, CERT-In, on various computers in 2017. It is designed to infliltrate computers and steal the data of users, and relay the stolen data to Command and Control centres in other countries. The ‘RAT’ in its name stands for Remote Access Trojan, which is a program capable of being controlled remotely and thus difficult to trace.

Mask presence

Maharashtra cybercrime department officials said that the latest update to the program by its developers is part of GravityRAT’s function as an Advanced Persistent Threat (APT), which, once it infiltrates a system, silently evolves and does long-term damage.

“GravityRAT is unlike most malware, which are designed to inflict short term damage. It lies hidden in the system that it takes over and keeps penetrating deeper. According to latest inputs, GravityRAT has now become self aware and is capable of evading several commonly used malware detection techniques,” an officer of the cybercrime unit said.

One such technique is ‘sandboxing’, to isolate malware from critical programs on infected devices and provide an extra layer of security.

“The problem, however, is that malware needs to be detected before it can be sandboxed, and GravityRAT now has the ability to mask its presence. Typically, malware activity is detected by the ‘noise’ it causes inside the Central Processing Unit, but GravityRAT is able to work silently. It can also gauge the temperature of the CPU and ascertain if the device is carrying out high intensity activity, like a malware search, and act to evade detection,” another officer said.

email attachment

Officials said that GravityRAT infiltrates a system in the form of an innocuous looking email attachment, which can be in any format, including MS Word, MS Excel, MS Powerpoint, Adobe Acrobat or even audio and video files.

“The hackers first identify the interests of their targets and then send emails with suitable attachments. Thus a document with ‘share prices’ in the file is sent to those interested in the stock market. Once it is downloaded, it prompts the user to enter a message in a dialogue box, purportedly to prove that the user is not a bot. While the users take this to be a sign of extra security, the action actually initiates the process for the malware to infiltrate the system, triggering several steps that end with GravityRAT sending data to the Command and Control server regularly,” an officer said.

The other concern is that the Command and Control servers are based in several countries. The data is sent in an encrypted format, making it difficult to detect exactly what is leaked.

Riaz Haq said...

Human rights defenders in Pakistan face digital threats, attacks: Amnesty
Ramsha JahangirUpdated May 16, 2018 Facebook Count
Twitter Share
KARACHI: Human rights defenders in Pakistan are under threat from a targeted campaign of digital attacks, which has seen social media accounts hacked and computers and mobile phones infected with spyware, a four-month investigation by Amnesty International revealed.

In a new report released on Tuesday titled ‘Human Rights Under Surveillance: Digital Threats Against Human Rights Defenders in Pakistan’, the human rights watchdog revealed how attackers were using fake online identities and social media profiles to ensnare Pakistani human rights defenders online and mark them out for surveillance and cybercrime.

Take a look: Every second woman rights activist faces serious threats: study

“We uncovered an elaborate network of attackers who are using sophisticated and sinister methods to target human rights activists. Attackers use cleverly designed fake profiles to lure activists and then attack their electronic devices with spyware, exposing them to surveillance and fraud and even compromising their physical safety,” said Sherif Elsayed-Ali, Director of Global Issues at Amnesty International.


HR watchdog calls on authorities to carry out investigation to identify perpetrators

The investigation showed how attackers used fake Facebook and Google login pages to trick their victims into revealing their passwords. “It is already extremely dangerous to be a human rights defender in Pakistan and it is alarming to see how attacks on their work are moving online,” he said.

The report highlighted the case of Diep Saeeda, a prominent civil society activist from Lahore. On December 2, 2017, one of her friends, Raza Mehmood Khan, a peace activist who tried to bring people from India and Pakistan together through activities like letter-writing, was subjected to an enforced disappearance.

Also read: Suspect arrested in Peshawar for giving death threats through social media

Ms Saeeda began publicly calling for Mr Raza’s release, including petitioning the Lahore High Court. Soon after, she began to receive suspicious messages from people claiming to be concerned about Mr Raza’s well-being, the report found.

As per Amnesty International’s investigation, a Facebook user who claimed to be an Afghan woman named Sana Halimi — living in Dubai and working for the UN — repeatedly contacted Ms Saeeda via Facebook Messenger, saying that she had information about Mr Raza. The operator of the profile sent her links to files containing malware called StealthAgent which, if opened, would have infected her mobile devices.

The profile — which the human rights watchdog believed was fake — was also used to trick Ms Saeeda into divulging her email address, to which she started receiving emails infected with a Windows spyware commonly known as Crimson.

Amnesty found that several human rights activists in Pakistan have been targeted in this way, sometimes by people claiming to be human rights activists themselves.

Ms Saeeda also received emails claiming to be from staff of the Punjab chief minister. The emails included false details of a supposed upcoming meeting between the provincial ministry of education and her organisation, the Institute for Peace and Secular Studies. In other cases, the attackers pretended to be students looking for guidance and tuition from Ms Saeeda.

Riaz Haq said...

Stealth Mango & Tangelo Selling your fruits to nation state actors

Lookout Security Intelligence has discovered a set of custom Android and iOS surveillanceware tools we’re respectively calling Stealth Mango and Tangelo. These tools have been part of a highly targeted intelligence gathering campaign we believe is operated by members of the Pakistani military. Our investigation indicates this actor has used these surveillanceware tools to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. To date, we have observed Stealth Mango being deployed against victims in Pakistan, Afghanistan, India, Iraq, Iran, and the United Arab Emirates. The surveillanceware also retrieved sensitive data from individuals and groups in the United States, Australia, and the United Kingdom. These individuals and groups were not themselves targeted, but interacted with individuals whose devices had been compromised by Stealth Mango or Tangelo. We believe that the threat actor behind Stealth Mango is also behind Op C Major and Transparent Tribe.

Key findings Lookout researchers have identified a new mobile malware family called Stealth Mango. • Our research shows that Stealth Mango is being actively managed by Pakistani based actors that are likely military. • Stealth Mango is being used in targeted surveillance operations against government officials, members of the military, and activists in Pakistan, Afghanistan, India, Iraq, and the United Arab Emirates. • We determined that government officials and civilians from the United States, Australia, the United Kingdom, and Iran had their data indirectly compromised after they interacted with Stealth Mango victims. • The actors behind Stealth Mango typically lure victims via phishing, but they may also have physical access to victims’ devices. • The attacker has multi-platform capabilities. We know of the Android component and there is evidence of an iOS component. The evidence is as follows: • A sample Debian package on attacker infrastructure called Tangelo • EXIF data from exfiltrated content showed data from iPhones • WHOIS information from the attackers show registrations for the following domains: iphonespyingsoftware[.]org, iphonespyingapps[.]org, and iphonespyingapps[.]info We have identified over 15 gigabytes of compromised data on attacker infrastructure. • Exfiltrated content includes call records, audio recordings, device location information, text messages, and photos. • We found attacker infrastructure running the WSO web shell, which provides a third party with complete control over the server. • The actor deploying Stealth Mango appears to have a primarily mobile-focused capability. Stealth Mango and Tangelo appear to have been created by freelance developers with physical presences in Pakistan, India, and the United States. • These individuals belong to the same developer group. • We linked their tooling to several commodity mobile surveillance tools suggesting that they are either sharing code or have engaged with several distinct customers who are being delivered tooling based off similar source code.

Riaz Haq said...

Pakistan’s first-ever Cyber Security Centre launched
Aims to develop tools and technologies to protect cyberspace, sensitive data and local economy from the cyber-attacks

Pakistan government’s Cyber Security Centre has been inaugurated at Air University in Islamabad to deal with cyber security challenges in the digital age.


Faaiz Amir informed that Air University is also commencing a four year BS cyber security programme, which is designed to develop modern cyber security skills and apply them to manage computers, systems, and networks from cyber-attacks. The programme would increase the awareness and knowledge about cyber security in Pakistani students, he added.


Cyber security encompasses technologies, processes and controls that are designed to protect systems, networks and data from cyber attacks. Pakistan’s Cyber Security Centre aims to develop advanced tools and research technologies to protect Pakistan’s cyberspace, sensitive data, and local economy from the cyber-attacks.
The headquarter of the National Centre for Cyber Security will be based at Air University Islamabad with labs at different universities of Pakistan including Bahria University Islamabad, National University of Science and Technology (NUST), Information Technology University Lahore (ITU), Lahore University of Managment Sciences (LUMS), University of Peshawar, University of Engineering and Technology Peshawar, University of Nowshera, Pakistan Institute of Engineering and Applied Sciences (PIEAS), NED University Karachi, University of Engineering and Technology Lahore and University of Engineering and Technology Taxila.
Cyber-attackspose an enormous threat to the national economy, defence and security, National Security Adviser, Nasser Khan Janjua, earlier said.
After repeated calls from experts to secure the cyber space, Pakistan government has finally launched the centre to protect the cyberspace, sensitive data, and local economy from the cyber-attacks.
Last week, country’s National Counter Terrorism Authority (NACTA) also established a cyber security wing on modern lines to evolve cyber security strategies and to meet emerging cyber terrorism threats.

Riaz Haq said...

Journalist Warns Cyber Attacks Present A 'Perfect Weapon' Against Global Order

DAVIES: And tell us about this private cyber investigator Kevin Mandia. There was this building in China where a lot of this activity was going on - and the level of information he was able to get.

SANGER: So the building is near the Shanghai airport. And it's a big, bland, white office tower. And it is the home of Unit 61398, which is a PLA cyber unit.

DAVIES: People Liberation Army - the Chinese Army.

SANGER: The People's Liberation Army Cyber Unit. And the way that people began to understand what was happening was - Mr. Mandia, who ran a company called Mandiant that's since been merged up with FireEye, which he now runs, began to track the attacks that this unit was doing to steal intellectual property in the United States whether it was, you know, F-35 designs or other industrial designs and then turn them over to state-run Chinese firms. The hackers who would come in would sit at their computer terminals, and, unbeknownst to them, Mandiant would turn the cameras on those computers back on. So you could see them working.

And they would come in at like 8:30 in the morning. They would check sports scores. They would send a few notes to their girlfriends. A couple of them would look at a little bit of porn. You know, they would be reading newspaper articles. 9 o'clock would come. They'd start hacking into American sites. Lunchtime, they're back to sending notes to the girlfriends. They're back to checking their sports scores. I mean, it was such an interesting picture of the life of a young Chinese hacker.

DAVIES: David Sanger is a national security correspondent for The New York Times. His book about cyberwarfare is called "The Perfect Weapon." After a break, he'll take us inside the Russian hack of the Democratic National Committee, and we'll talk about President Trump's initiative to curb North Korea's nuclear program. Also, rock critic Ken Tucker reviews Father John Misty's new album. I'm Dave Davies. And this is FRESH AIR.

Riaz Haq said...

Journalist Warns Cyber Attacks Present A 'Perfect Weapon' Against Global Order

DAVIES: Right. I mean, obviously, to conduct the kind of disabling cyberattack that would shut down a lot of a country's infrastructure, you have to have done a lot of work beforehand. I want to be clear about this. Are we saying that we know that there are implants in our power grid which would enable the Russians or someone else to take it down?

SANGER: We know that there are implants in our power grid. Interesting question is, if somebody made use of it, how good would it be at taking it down? And that's why for the electric utility industry and for the financial industry, they've invested a huge amount in redundancy and resilience so that if you lose some set of power plants, you could contain it, route around it and be able to pick up and go on. And you just don't know until things happen how well your adversary has wired your system to take everything down. And as you said, this takes a lot of time. The United States spent years getting inside the Iranian centrifuges at Natanz and even then had to keep working on the software to improve it. The North Koreans, when they went into Sony Pictures in 2014 in retaliation for the release of a really terrible movie called "The Interview" that envisioned the assassination of Kim Jong Un, the same friendly Kim Jong Un we all saw in Singapore the other day - when the North Koreans went in, they went in in early September of 2014. They didn't strike until around Thanksgiving because it took all that time just to map out the interconnections of the electrical system, of the computer system, and when they did strike, it was devastating. They took out 70 percent of Sony's computer servers and hard drives.

DAVIES: OK. In this book, you say that, you know, cyberwarfare is the kind of game-changing innovation that's - you compare it to the introduction of aircraft into warfare in the early 20th century and that we are still figuring out what rules or conventions should apply to it. I want to get to some of that conversation, but let's talk a bit about some of the experience that we've had over the last 10 years. You write that in 2008, a woman at the National Security Agency, Debora Plunkett, discovers something about the classified networks in the Pentagon that's troubling. What did she find?

SANGER: Well, she was overseeing security at the NSA, and somebody came to her with evidence that the Russians - though the U.S. did not announce it was Russians at the time - were deep into something called the SIPRNet, which is basically a classified network by which the Defense Department, some of the intelligence agencies, sometimes the State Department, communicate with each other. And this was a big shock to everybody because they had seen the Russians in unclassified systems before, but here they were deep into a classified system. And the first question was, how'd they get in? And the answer was so simple that it really was a wakeup call. Somebody had distributed little USB keys, you know, the kinds you get at conventions and all those kinds of...

Riaz Haq said...

How #Israel's #Mossad broke into an #Iranian facility and stole half a ton of #nuclear files. Mossad agents broke into a warehouse in an industrial area in #Tehran, had 6 and 1/2 hours to finish the job before the morning shift arrived at 7 A.M. #Iran

An operation by the Mossad earlier this year to steal files relating to Iran's nuclear program was conducted on January 31, according to a report by the New York Times. Mossad operatives broke into a warehouse in an industrial area in Tehran and, according to the report, had six hours and 29 minutes to finish the job before the morning shift arrived at 7 A.M. During this limited time, they disabled the alarms, broke through two doors, burned open dozens of safes and fled the city with the documents.

The agents were carrying blowtorches that burned at some 2,000 degrees Celsius to cut through the safes, according to the Times,. The report suggests that Israel may have had help on the inside, since it says that the Mossad agents knew exactly which safes to break into – leaving many of the others untouched. At the end of the night, the agents fled with half a ton of secret materials, including 50,000 pages and 163 compact discs containing files, videos and plans.

The Iranians began storing the files at the warehouse after signing a landmark 2015 accord on its nuclear program with the United States, European powers, Russia and China. The deal gave the UN nuclear watchdog access to suspected nuclear sites in Iran.

Israel claims that after signing the agreement, the Iranian regime collected files from across the country about the nuclear program, storing them at the warehouse. The warehouse wasn't guarded around the clock so as to not arouse suspicion.

The report was based on briefings Israel gave Western media outlets last week and included details from the stolem documents, which were presented in April by Prime Minister Benjamin Netanyahu in a prime time address.

The report further stated that Israeli officials said Tehran received help for its nuclear program from Pakistan and from other foreign experts.

Another report, from the Washington Post, says that Iran was on the verge of acquiring "key bombmaking technologies" when the program, code-named Project Amad, was halted some 15 years ago.

Riaz Haq said...

Could Offensive #Cyber Capabilities Tip #India and #Pakistan to War? India launched Operation Hangover targeting Pakistan and, in response, Pakistan responded with Operation Arachnophobia, seeking to obtain intelligence from Indian officials @Diplomat_APAC

While both countries are responding to the rise in cyberattacks with national strategies and increased defensive capabilities, we do not know how they will set the rules when it comes to offensive cyber operations. We do know both countries are pursuing cybersecurity to protect against cyberattacks.

India has been establishing national cybersecurity policies to address the rise in persistent cyberattacks. The country is vulnerable to cyberattacks—it was ranked as the second most vulnerable nation-state targeted by cyberattacks in a survey by security company Symantec. As India’s economy has shifted toward information and communications technology (ICT), which includes information technology services, commerce, and banking sectors, there are concerns of cyberespionage and cyberattacks taking place against Indian industries and businesses.

In fact, according to a study commissioned by the High Court of India, cyber-related crimes cost Indian businesses $4 billion in 2013. This has led the government and private sector to increase their efforts to protect these industries. Back in 2013, India unveiled its National Cyber Security policy. This policy outlined measures the government would take in protecting India’s critical infrastructure. However, many critics point out this national policy has done little to curb cyberattacks as there is no way to implement many of its policies.

Pakistan is also on alert, though it does not have a national cybersecurity strategy document, despite efforts in Islamabad to develop a framework that will protect critical institutions from cyberattacks. These efforts have been motivated in part by the Edward Snowden leaks, which detailed the U.S. National Security Agency’s spying on Pakistan and were an inflection point for Pakistani government officials, as they realized they needed to address the gaps in their information security. A national Cyber Security Strategy was presented to the National Assembly, but no headway has been made yet on implementing the proposed actions, which included the creation of a national CERT and an Inter-Services Cyber Command Center that would streamline cyber defense for Pakistan’s Army. Pakistan still does not have an official national cybersecurity strategy.

Both countries’ security postures are transforming slowly to introduce cybersecurity. However, there is still not enough data available on what types of technologies these countries possess and how integrated these technologies are in India and Pakistan’s national security strategies. There are reports that both countries have engaged in offensive cyber operations. Each country has their own cyberespionage division, which siphons critical information from other national-states’ security and intelligence organizations.

India launched Operation Hangover that has targeted Pakistan and, in response, Pakistan spearheaded Operation Arachnophobia, which sought to obtain intelligence from Indian officials. While these operations are well-known, there is still a lack of awareness on how much each country spends on cyber technologies and the types of technologies they are employing. India is one of the largest spenders on military, yet the cybersecurity budget is “inadequate” for the growing cyber threat.

Understanding cyber capabilities is important because they can change geopolitical calculations. For example, the low cost of entry for offensive cyber capabilities benefits less resourced actors, and “offense preference” in cyberspace makes it easier to succeed on offense than at defense.

Riaz Haq said...

#India says a #Pakistani spy used bots to lure 98 #Indian targets in Army, Navy and Air Force, including #BrahMos #Missile Project Engineer, on #Facebook using 'Whisper', 'Gravity Rat' malware. via @timesofindia

A recent investigation revealed how a Pakistani spy on Facebook named Sejal Kapoor hacked into the computers of 98 Indian defence officials since 2015. She was also involved in the leak of classified files of BrahMos missile in 2018.

It has been revealed that the hacker targeted officials from Indian Army, Navy, Air Force, paramilitary forces and state police personnel in Rajasthan, Madhya Pradesh, Uttar Pradesh, and Punjab between 2015 and 2018, reported TOI.

The hacker deceived her targets by sharing pictures and videos using a software malware called "Whisper", which is reported to be connected to a third-party server in a West Asian country.

Sejal's involvement in last year's leakage of sensitive technical information to Pakistan was also established in the recent investigation.

In 2018, an engineer working at the BrahMos Aerospace Private Limited, Nishant Agarwal, was arrested for providing technical information on BrahMos missiles to Pakistan in a joint operation by the Uttar Pradesh and Maharashtra Anti-Terrorism Squad (ATS) as well as the Military Intelligence (MI).

It was then revealed that Agarwal exchanged sensitive information to Pakistan spy agency Inter-Services Intelligence (ISI) based on evidence found on his personal computer and Facebook chat records.

Apart from the "Whisper" application, another software that the spy used was "Gravity Rat." The Indian intelligence agencies say that both the software use "self-aware" detection techniques as well as VPN hiding mechanism that enables a hacker to use around 25 internet addresses. The complex malware technology is stated to not be easily identified by anti-malware software.

The five dozen chats recently uncovered by intelligence agency revealed that Sejal would "force install" the Whisper app on computers of the targeted officials, reported TOI.

"Instantly, after getting downloaded, the malware first prompts the user to key in a code. It's to ensure that the app is not a virus or malware. Immediately after that, it scans all latest attachments sent from the computer in emails or downloads. It then scans all files with photographs, databases of MS Word and MS Excel, by first verifying their encryption keys and then opening their passwords," said a senior intelligence officer, reported TOI.

According to Sejal's Facebook profile, the hacker is an employer of a company called "Growth Company" in Manchester, the UK. Experts have claimed that such cases of armed force officials "honey-trapped" into sharing classified information are a threat to India's national security.

Last year, a Border Security Force (BSF) soldier was arrested by Uttar Pradesh ATS on September 18 for sharing key information about the unit's operations to a female Pakistan ISI agent, who claimed to be a defence reporter.

Riaz Haq said...

Mysterious Explosion and Fire Damage #Iranian Nuclear Enrichment Facility Building New Advanced Centrifuges. A decade ago, the #UnitedStates and #Israel used #Stuxnet worm in operation code-named “Olympic Games" which destroyed 1,000 #Iranian centrifuges.

A fire ripped through a building at Iran’s main nuclear-fuel production site early Thursday, causing extensive damage to what appeared to be a factory where the country has boasted of producing a new generation of centrifuges. The United States has repeatedly warned that such machinery could speed Tehran’s path to building nuclear weapons.

The Atomic Energy Agency of Iran acknowledged an “incident” at the desert site, but did not term it sabotage. It released a photograph showing what seemed to be destruction from a major explosion that ripped doors from their hinges and caused the roof to collapse. Parts of the building, which was recently inaugurated, were blackened by fire.

But it was not clear how much damage was done underground, where video released by the Iranian government last year suggested most of the assembly work is conducted on next-generation centrifuges — the machines that purify uranium.

The fire took place inside the nuclear complex at Natanz, where the Iranian desert gives way to barbed wire, antiaircraft guns and an industrial maze. The damaged building is adjacent to the underground fuel production facilities where, a decade ago, the United States and Israel conducted the most sophisticated cyberattack in modern history, code-named “Olympic Games.” That attack, which lasted for several years, altered the computer code of Iran’s industrial equipment and destroyed roughly 1,000 centrifuges, setting back Iran’s nuclear program for a year or more.

The early evidence strongly suggested on Thursday the damage was in fact sabotage, though the possibility remained that it was the result of an industrial accident.

The timing was suspicious: A series of unexplained fires have broken out in recent days at other facilities related to the nuclear program. Still, experts noted that if the explosion was deliberately set, it showed none of the stealth and secrecy surrounding the complex cyberattacks by the United States and Israel that were first ordered by President George W. Bush toward the end of his term, and then extended by President Barack Obama.

The Persian language service of the BBC reported that several members of its staff received an email from a previously unknown group, which referred to itself as the Homeland Cheetahs, before news of the fire became public. The group claimed responsibility and said it was composed of dissidents in Iran’s military and security apparatus. They said the attack would target above-ground sections of the targeted facilities so that the Iranian government could not cover up the damage.

There was no way to confirm if Homeland Cheetahs was a real group, and if so whether it was domestic, as it claimed, or supported by a foreign power.

A Middle Eastern intelligence official, who would not be quoted by name because he was discussing closely held information, said the blast was caused by an explosive device planted inside the facility. The explosion, he said, destroyed much of the aboveground parts of the facility where new centrifuges — delicate devices that spin at supersonic speeds — are balanced before they are put into operation.

Riaz Haq said...

Pakistan has established #Cyber Forensic Laboratory at NUST, and the #Computer Emergency Response Team (PAK-CERT). #Pakistan has made major progress in #Nuclear ‘Security and Control Measures’ category with an incredible (+25) points.

Among countries with weapons-usable nuclear materials, Australia for the third time has been ranked at the first position in the sabotage ranking and for the fifth time for its security practices. Likewise, New Zealand and Sweden stand first in the ranking for countries without materials. It is very pertinent to highlight here that Pakistan’s commitment towards nuclear safety and security, has also been duly acknowledged. In this regard, since Pakistan has adopted new on-site physical protection and cyber security regulations, it has been appreciated in the index. This would likely further improve Pakistan’s existing insider threat prevention measures. Nevertheless, the 2020 NTI report has ranked Pakistan among the countries that have nuclear materials but its adherence to nuclear safety and security has been vindicated.

It is worth mentioning here that in the theft ranking for countries with nuclear materials, Pakistan has improved its ranking by an overall score of 7 points. In this regard, Pakistan has made major progress in the ‘Security and Control Measures’ category with an incredible (+25) points based on the new regulations. Also, Pakistan has improved in the Global Norms category with (+1) points. The strengthened laws and regulations have provided sustainable security benefits and resulted in improving Pakistan’s overall score. Moreover, Pakistan’s improvement in the Security and Control Measures category is quite significant. Over time, by improving +8 points in 2014, +2 points in 2016, and +6 points in 2018, Pakistan has steadily improved in the Security and Control Measures category. Owing to new regulations for on-site physical protection its score has improved since 2014. Whereas since 2018; the insider threat protection has also improved. When the report was first launched in 2012, since then Pakistan, unlike other states has improved its score in the security and control measure category with 25 points. This is an incredible improvement as it is the second-largest improvement among the related states.

At the national level, Pakistan has taken various initiatives including; the establishment of Cyber Forensic Laboratory at the National University of Science and Technology (NUST), and the Computer Emergency Response Team (PAK-CERT) to deal with cyber-related threats. Furthermore, the National Centre for Cyber Security at the Air University also aims at making cyberspace of Pakistan more secure. It has affiliated Research and Development Laboratories working on projects related to network security systems and smart devices. To maintain such a status, in the longer term, Pakistan needs to further expand the scope of its existing national cyber policy framework. This would enhance Pakistan’s capabilities to tackle cyber threats to nuclear security in a more efficient way.

Hence, the emergence of cyber threats to nuclear security both at the regional and the global levels needs to be addressed with greater cooperation among the states. Likewise, it is also essential to address the human factor for cyber security when insiders could unwittingly introduce or exacerbate cyber vulnerabilities. Pakistan needs to further enhance the role and increase the capacity of its specialized cyber workforce. In this regard, if required, the number of highly skilled technical staff may be increased keeping view of the emergent cyber threats to the nuclear facilities.

Riaz Haq said...

Rank 2019

Rank 2020 Country Score 2019 Score 2020 % of Mobiles Infected with Malware Financial Malware Attacks (% of Users) % of Computers Infected with Malware % of Telnet Attacks by Originating Country (IoT) % of Attacks by Cryptominers Best Prepared for Cyberattacks Most Up-to-Date Legislation
1 1 Algeria 55.75 48.99 26.47 0.5 19.75 0.07 1.27 0.262 1
- 1 Tajikistan - 48.54 2.62 1.4 8.12 0.01 7.90 0.263 2
- 3 Turkmenistan - 48.39 4.89 1.1 5.84 0 7.79 0.115 2
- 4 Syria - 44.51 10.15 1.2 13.99 0.01 1.36 0.237 1
9 5 Iran 43.29 43.48 52.68 0.8 7.21 3.31 1.43 0.641 2
8 6 Belarus 45.09 41.64 2.10 2.9 13.34 0.05 2.35 0.578 3
6 7 Bangladesh 47.21 40.36 30.94 0.8 16.46 0.38 1.91 0.525 3.5
7 8 Pakistan 47.10 40.33 28.13 0.8 9.96 0.37 2.41 0.407 2.5
5 9 Uzbekistan 50.50 39.41 4.14 2.1 10.5 0.02 4.99 0.666 3
According to our study, Algeria is still the least cyber-secure country in the world despite its score improving slightly. With no new legislation (as was the same with all countries), it is still the country with the poorest legislation (only one piece of legislation — concerning privacy — is in place). It also scored poorly for computer malware infection rates (19.75%) and its preparation for cyberattacks (0.262). Nevertheless, only its score for lack of preparation that worsened over the last year (and its score for legislation which couldn’t get any worse). In all of the other categories, attacks declined, as was the common trend for most countries.

Other high-ranking countries were Tajikistan, Turkmenistan, Syria, and Iran, which took over from last year’s Indonesia, Vietnam, Tanzania, and Uzbekistan.

The highest-scoring countries per category were:

Highest percentage of mobile malware infections – Iran – 52.68% of users
Highest number of financial malware attacks – Belarus – 2.9% of users
Highest percent of computer malware infections – Tunisia – 23.26% of users
Highest percentage of telnet attacks (by originating country) – China – 13.78%
Highest percentage of attacks by cryptominers – Tajikistan – 7.9% of users
Least prepared for cyber attacks – Turkmenistan – 0.115
Worst up-to-date legislation for cybersecurity – Algeria – 1 key category covered
Apart from Algeria, China was the only country that stayed at the top of one of these lists – all of the other countries are new since last year.

Riaz Haq said...

Experts are unanimous in saying that the most important target of #Indian #cyber-#espionage & #cyberattacks by far is #Pakistan. Limited employment prospects of Indian techies have created a swarm of underground threat actors in #India| The Daily Swig

Morgan Wright, chief security advisor at SentinelOne and former US State Department special advisor, told The Daily Swig: “India’s growing offensive capability is still immature compared to China, North Korea, Russia, Israel, the UK and US. However, there is no shortage of people with advanced technical skills in India.”

With Covid-19 causing significant unemployment in India, it can be “safely assumed a portion of people with these skills will engage in cybercrime”, according to Wright.

“Ironically, tactics learned in committing cybercrime will be of value to the intelligence and military establishment in India as they develop and grow units to engage in cyber warfare and espionage,” he said.

India security

Assaf Dahan, senior director and head of threat research at Cybereason, told The Daily Swig: “The level of sophistication of the activity groups affiliated with India can vary; some groups have shown a high level of sophistication and use of advanced custom-built tools or advanced exploits, while others exhibited significantly less sophisticated capabilities.

“Sometimes a group might exhibit different levels of sophistication on different operations, based on the group’s needs and reasoning,” he added.

Dahan concluded: “Another point to remember: the level of sophistication isn’t always correlated with the success rate of the group’s operation or goals. Sometimes, simple social engineering attacks delivering a known commodity malware can be enough to get the threat actors what they want.”

What examples are there of Indian APT groups?
Recent attacks by Indian hacker groups:

The highly active cyber-espionage entity known as SideWinder has been plaguing governments and enterprises since 2012. A recently released report by AT&T Alien Labs shows most of SideWinder’s activity is heavily focused on South Asia and East Asia, with the group likely supporting Indian political interests.
The allegedly Indian state-sponsored group Dropping Elephant has been known to target the Chinese government via spear-phishing and watering hole attacks.
Viceroy Tiger has been known to use weaponised Microsoft Office documents in spear-phishing campaigns. Security researchers at Lookout recently went public with research on mobile malware attributed to the threat actors and rated as medium sophistication.

The level of direct Indian government involvement in some of these operations is contested.
Cybereason’s Dahan cautioned: “The line between ‘state operated’ or ‘state ordered’ can be rather fine, so it’s not always easy to link certain operations directly to an official government or military institution, especially due to the growing popularity of cyber mercenaries (hackers-for-hire).”

How might India expand its cyber warfare capabilities and defences?
Through an emerging initiative to provide technology education to 400,000 low-income students, India will significantly increase its cyber “bench strength”, according to Mike Hamilton, former CISO for the City of Seattle and co-founder and CISO of cybersecurity firm CI Security.

Hamilton predicted that a “cybercrime population will emerge [in India] and differentiate itself from nationalist motivations”.

Other experts reckon the flow of talent will run the other way and allow Indian to expand its cyber-espionage capabilities from the cohorts of cybercriminals.

Riaz Haq said...

#China Appears to Warn #India : Push Too Hard and the Lights Could Go Out in the Entire #SouthAsian Nation of 1.3 billion. Most of the #malware was never activated in the #Mumbai grid attack that was meant as a warning to #Modi. - The New York Times

As border skirmishing increased last year, malware began to flow into the Indian electric grid, a new study shows, and a blackout hit Mumbai. It now looks like a warning.

Early last summer, Chinese and Indian troops clashed in a surprise border battle in the remote Galwan Valley, bashing each other to death with rocks and clubs.

Four months later and more than 1,500 miles away in Mumbai, India, trains shut down and the stock market closed as the power went out in a city of 20 million people. Hospitals had to switch to emergency generators to keep ventilators running amid a coronavirus outbreak that was among India’s worst.

Now, a new study lends weight to the idea that those two events may well have been connected — as part of a broad Chinese cybercampaign against India’s power grid, timed to send a message that if India pressed its claims too hard, the lights could go out across the country.

The study shows that as the standoff continued in the Himalayas, taking at least two dozen lives, Chinese malware was flowing into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant.

The flow of malware was pieced together by Recorded Future, a Somerville, Mass., company that studies the use of the internet by state actors. It found that most of the malware was never activated. And because Recorded Future could not get inside India’s power systems, it could not examine the details of the code itself, which was placed in strategic power-distribution systems across the country. While it has notified Indian authorities, so far they are not reporting what they have found.

Stuart Solomon, Recorded Future’s chief operating officer, said that the Chinese state-sponsored group, which the firm named Red Echo, “has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”

The discovery raises the question about whether an outage that struck on Oct. 13 in Mumbai, one of the country’s busiest business hubs, was meant as a message from Beijing about what might happen if India pushed its border claims too vigorously.

News reports at the time quoted Indian officials as saying that the cause was a Chinese-origin cyberattack on a nearby electricity load-management center. Authorities began a formal investigation, which is due to report in the coming weeks. Since then, Indian officials have gone silent about the Chinese code, whether it set off the Mumbai blackout and the evidence provided to them by Recorded Future that many elements of the nation’s electric grid were the target of a sophisticated Chinese hacking effort.

It is possible the Indians are still searching for the code. But acknowledging its insertion, one former Indian diplomat noted, could complicate the diplomacy in recent days between China’s foreign minister, Wang Yi, and his Indian counterpart, Subrahmanyam Jaishankar, in an effort to ease the border tensions.

Riaz Haq said...

#India Suspects #China May Be Behind Major #Mumbai Blackout. Officials are investigating whether #cyberattacks from China could have caused the #power outage, an assertion that China rejects. #Modi #Ladakh

Indian officials are investigating whether cyberattacks from China could have been behind a blackout in Mumbai last year.

State officials in Maharashtra, of which Mumbai is the capital, said Monday that an initial investigation by its cyber department found evidence that China could have been behind a power outage that left millions without power in October.

It was the worst blackout in decades in India’s financial capital, stopping trains and prompting hospitals to switch to diesel powered generators. The megacity has long prided itself on being one of the few cities in India with uninterrupted power supply even as most of the country struggles with regular blackouts.

Anil Deshmukh, home minister of the state, said officials were investigating a possible connection between the blackout and a surge in cyberattacks on the servers of the state power utilities. He wouldn’t single out China, but said investigators had found evidence of more than a dozen Trojan horse attacks as well as suspicious data transfers into the servers of state power companies.

“There were attempts to login to our servers from foreign land,” said Mr. Deshmukh. “We will investigate further.”

Another state official said 8GB of unaccounted for data slipped into power company servers from China and four other countries between June and October. The official cited thousands of attempts by blacklisted IP addresses to access the servers.

State-sponsored hackers increasingly target critical infrastructure such as power grids instead of specific institutions, said Amit Dubey, a cybersecurity expert at Root64 Foundation, which conducts cybercrime investigations.

“Anything and everything is dependent on power,” Mr. Dubey said. Targeting power supply, he said, can “take down hundreds of plants or day-to-day services like trains.”

Mr. Dubey said many countries such as China, Russia and Iran are deploying state-sponsored hackers to target the power grids of other nations. Russian hackers succeeded in turning off the power in many parts of Ukraine’s capital a few years ago, he said, and have also attacked critical infrastructure in the U.S. in recent years.

India’s announcement came after U.S. cybersecurity firm Recorded Future on Sunday published a report outlining what it said were attacks from close to a China-linked group it identified as RedEcho. It cited a surge in attacks targeting India’s power infrastructure.

The report said the attacks could have been a reaction to the jump in border tension between the two countries. During a military skirmish in June, India said 20 Indian soldiers were killed and China said four Chinese soldiers were killed when soldiers fought with rocks, batons and clubs wrapped in barbed wire.

In response to the Recorded Future report, which was earlier reported by the New York Times, China said it doesn’t support cyberattacks.

“It is highly irresponsible to accuse a particular party when there is no sufficient evidence around,” Wang Wenbin, spokesman for China’s Ministry of Foreign Affairs said in a briefing Monday. “China is firmly opposed to such irresponsible and ill-intentioned practice.

Recorded Future said it couldn’t directly connect the attacks to the Mumbai blackout because it doesn’t have access to any hardware that might have been infected.

India’s Ministry of Power said it has dealt with the threats outlined in the Recorded Future report by strengthening its firewall, blocking IP addresses and using antivirus software to scan and clean its systems software.

Riaz Haq said...

IISS: Cyber Capabilities and National Power: A Net Assessment


India has frequently been the victim of cyber attacks, including on its critical infrastructure, and has attributed a significant proportion of them to China or Pakistan. CERT-In reported, for example, that there were more than 394,499 incidents in 2019,44 and 2020 saw an upsurge in attacks from China.45 Of particular concern to the Indian government are cyber attacks by North Korea that use Chinese digital infrastructure.46 The vast major- ity of the cyber incidents flagged by CERT-In appear to have been attempts at espionage,47 but they could also have resulted in serious damage to the integrity of
Indian networks and platforms. In 2020, India had the second-highest incidence of ransomware attacks in the world48 and the government banned 117 Chinese mobile applications because of security concerns.49

Public statements by Indian officials and other open- source material indicate that India has developed rela- tively advanced offensive cyber capabilities focused on Pakistan. It is now in the process of expanding these capabilities for wider effect.
India reportedly considered a cyber response against Pakistan in the aftermath of the November 2008 terror- ist attacks in Mumbai, with the NTRO apparently at the forefront of deliberations.67 A former national security advisor has since indicated publicly that India pos- sesses considerable capacity to conduct cyber-sabotage operations against Pakistan,68 which appears credible

Overall, India’s focus on Pakistan will have given it useful operational experience and some viable regional offensive cyber capabilities. It will need to expand its cyber-intelligence reach to be able to deliver sophisti- cated offensive effect further afield, but its close collab- oration with international partners, especially the US, will help it in that regard.

Raj Chengappa and Sandeep Unnithan, ‘How to Punish Pakistan’, India Today, 22 September 2016, https://www. attack-narendra-modi-pakistan-terror-kashmir-nawaz-sharif- india-vajpayee-829603-2016-09-22.

Riaz Haq said...

Pakistan-linked hackers targeted Indian power company with ReverseRat

A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research.

"Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan," Lumen's Black Lotus Labs said in a Tuesday analysis. "The potentially compromised victims aligned with the government and power utility verticals."

Some of the victims include a foreign government organization, a power transmission organization, and a power generation and transmission organization. The covert operation is said to have begun at least in January 2021.

The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been careful to hide their activity by modifying the registry keys, granting them the ability to surreptitiously maintain persistence on the target device without attracting attention.

Explaining the multi-step infection chain, Lumen noted the campaign "resulted in the victim downloading two agents; one resided in-memory, while the second was side-loaded, granting threat actor persistence on the infected workstations."

The attack commences with a malicious link sent via phishing emails or messages that, when clicked, downloads a ZIP archive file containing a Microsoft shortcut file (.lnk) and a decoy PDF file from a compromised domain.

The shortcut file, besides displaying the benign document to the unsuspecting recipient, also takes care of stealthily fetching and running an HTA (HTML application) file from the same compromised website.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the CoWIN online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.

Riaz Haq said...

India’s Gandhi and Pakistan’s Khan tapped as targets in Israeli NSO spyware scandal - Tech News -

Prominent Indian politician Rahul Gandhi and Pakistani Prime Minister Imran Khan were selected as potential targets of the Israeli-made Pegasus spyware program by clients of the NSO Group cyberespionage firm, a global investigation can reveal Monday.

Additional potential targets included Pakistani officials, including a number once associated with Pakistani leader Khan. They also included Kashmiri separatists, leading Tibetan religious figures and even an Indian supreme court judge. Khan did not respond to a request for comment from the Washington Post.

Gandhi, who said he changes phones every few months to avoid being hacked, said in response: “Targeted surveillance of the type you describe, whether in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India, is illegal and deplorable.

According to an analysis of the Pegasus Project records, more than 180 journalists were selected in 21 countries by at least 12 NSO clients. The potential targets and clients hail from Bahrain, Morocco, Saudi Arabia, India, Mexico, Hungary, Azerbaijan, Togo and Rwanda.


India is Israel’s biggest arms market, buying around $1 billion worth of weapons every year, according to Reuters. The two countries have grown closer since Modi became Indian prime minister in 2014, widening commercial cooperation beyond their longstanding defense ties. Modi became the first sitting Indian leader to visit Israel in July 2017, while former Prime Minister Benjamin Netanyahu held a state visit to India at the start of 2018

Riaz Haq said...

Facebook says hackers in Pakistan targeted Afghan users amid government collapse

Hackers from Pakistan used Facebook to target people in Afghanistan with connections to the previous government during the Taliban's takeover of the country, the company's threat investigators said in an interview with Reuters.

Facebook (FB.O) said the group, known in the security industry as SideCopy, shared links to websites hosting malware which could surveil people's devices. Targets included people connected to the government, military and law enforcement in Kabul, it said. Facebook said it removed SideCopy from its platform in August.

The social media company, which recently changed its name to Meta, said the group created fictitious personas of young women as "romantic lures" to build trust and trick targets into clicking phishing links or downloading malicious chat apps. It also compromised legitimate websites to manipulate people into giving up their Facebook credentials.

"It's always difficult for us to speculate as to the end goal of the threat actor," said Facebook's head of cyber espionage investigations, Mike Dvilyanski. "We don't know exactly who was compromised or what the end result of that was."

Major online platforms and email providers including Facebook, Twitter Inc (TWTR.N), Alphabet Inc's (GOOGL.O) Google and Microsoft Corp's (MSFT.O) LinkedIn have said they took steps to lock down Afghan users' accounts during the Taliban's swift takeover of the country this past summer. read more

Facebook said it had not previously disclosed the hacking campaign, which it said ramped up between April and August, due to safety concerns about its employees in the country and the need for more work to investigate the network. It said it shared information with the U.S. State Department at the time it took down the operation, which it said had appeared "well-resourced and persistent."

Riaz Haq said...

Mr. Modi has used the Israeli spyware to not only spy on his critics at home but also his perceived enemies abroad. Pakistani Prime Minister Imran Khan is among the most prominent targets of the Modi government's cyber attacks, according to a recently released Project Pegasus report. The Indian government has neither confirmed nor denied the report. The focus of the report is the use of the Israeli-made spyware by about a dozen governments to target politicians, journalists and activists. The users of the Pegasus software include governments of Bahrain, Morocco, Saudi Arabia, India, Mexico, Hungary, Azerbaijan, Togo and Rwanda.

Riaz Haq said...

National Center for Cyber Security For Cyber Threats
Becoming an anonymous personality is a super easy task in the online space. All that one needs to do is hide the IP. The IP address makes it easier to trace online activities. You can find your IP address on What Is My IP. However, just because cyber threats exist, it does not mean one can prevent oneself from engaging in online activities. With proper digital hygiene along with government efforts, a country can mitigate cyber threats.

In 2018, the Government of Pakistan established the National Centre for Cyber Security or NCCS. It was a joint initiative of the Planning Commission and Higher Education Commission. The body currently works in cybercrime forensics, smart devices, and network security.

New ways of committing cyber crimes are emerging with each passing year. Therefore, research and development are critical in fighting different cyber crimes. It is where the role of the National Center for Cyber Security comes in. NCCS deals with both applied and theoretical areas for fighting cybercrime.

It is known for its research on areas like Cyber Reconnaissance, Cybercrime Investigations, Blockchain Security, Digital Forensics, IoT Security, Intrusion Detection Systems, Mobile Phone Security, Internet Security and Privacy, Critical Infrastructure Security and Malware Analysis.

Cyber Security Policy Of Pakistan Is Evolving
In addition to bodies like NCCS, it is also important to have a solid cybersecurity policy. The Government of Pakistan recently approved a new cybersecurity policy to fight electronic crime. The policy will prove to be helpful for both the public and private institutions in fighting cybercrime. The policy will birth a secure cyber ecosystem in the country with the help of new governance and institutional framework. It will additionally support a computer emergency response team and a security operations centre at the institutional, sector and national level.

Further, the Government of Pakistan will work on improving general awareness of cyber security amongst the passes through public awareness campaigns, skill development and training programs.

Why Is Cyber Security Knowledge Important?
Security awareness is important in all sectors, including the domain of cyber security too. The interconnected system is essential to survive in the current digitised world. However, it comes with a risk a cyber security knowledge can mitigate. Without proper cyber security knowledge, it is easy to fall prey to online crime. The result will be that people will start losing their trust in the digital world, which can prove dangerous for any country in the digital age of digitisation.

Further, it is not enough to ensure the technology and infrastructure required to support it. Government should inform the people about the risks and help them fight it. Only through these methods can a country lay a strong foundation for further digitisation of the country.

Pakistan’s ranking on the Global CyberSecurity Index is disappointing. Therefore, the newly brought cyber security policy was a much-needed change to improve its ranking in future studies. With strong cyber security laws, Pakistan can promote easy socio-economic development. Thankfully, the Government of Pakistan is working towards it. For instance, a cyberattack on any Pakistan institution under the new policy will be considered an act of aggression against national sovereignty. The government will take all the necessary steps to punish the offender for dealing with it.

Riaz Haq said...

Ignite Conducts Karachi Qualifier Round of Digital Pakistan Cybersecurity Hackathon 2022

Ignite National Technology Fund, a public sector company with the Ministry of IT & Telecom, conducted the qualifier round of Digital Pakistan Cybersecurity Hackathon 2022 in Karachi on 1st December 2022 after conducting qualifier rounds at Quetta and Lahore.

The Cybersecurity Hackathon aims to improve the cybersecurity readiness, protection, and incident response capabilities of the country by conducting cyber drills at a national level and identifying cybersecurity talent for public and private sector organizations.

Dr. Zain ul Abdin, General Manager Ignite, stated that Ignite was excited about organizing Pakistan’s 2nd nationwide cybersecurity hackathon in five cities this year. The purpose of the Cyber Security Hackathon 2022 is to train and prepare cyber security experts in Pakistan, he said.

Speaking on the occasion, Asim Shahryar Husain, CEO Ignite, said, “The goal of the cybersecurity hackathon is to create awareness about the rising importance of cybersecurity for Pakistan and also to identify and motivate cybersecurity talent which can be hired by public and private sector organizations to secure their networks from cyberattacks.”

“There is a shortage of 3-4 million cybersecurity professionals globally. So this is a good opportunity for Pakistan to build capacity of its IT graduates in cybersecurity so that they can boost our IT exports in future,” he added.

Chief guest, Mohsin Mushtaq, Additional Secretary (Incharge) IT & Telecommunication, said, “Digital Pakistan Cybersecurity Hackathon is a step towards harnessing the national talent to form a national cybersecurity response team.”

“Ignite will continue to hold such competitions every year to identify new talent. I would like to congratulate CEO Ignite and his team for holding such a marathon competition across Pakistan to motivate cybersecurity students and professionals all over the country,” he added.

Top cybersecurity experts were invited for keynote talks during the occasion including Moataz Salah, CEO Cyber Talents, Egypt, and Mehzad Sahar, Group Head InfoSec Engro Corp, who delivered the keynote address on Smart InfoSec Strategy.

Panelists from industry, academia, and MoITT officials participated in two panel discussions on “Cyber Threats and Protection Approaches” and “Indigenous Capability & Emerging Technologies” during the event.

The event also included a cybersecurity quiz competition in which 17 teams participated from different universities. The top three teams in the competition were awarded certificates.

41 teams competed from Karachi in the Digital Pakistan Cybersecurity Hackathon 2022.

The top three teams shortlisted after the eight-hour hackathon were: “Team Control” (Winner); “Revolt” (1st Runner-up); and “ASD” (2nd Runner-up).

These top teams will now compete in the final round of the hackathon in Islamabad later this month.

Riaz Haq said...

Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS

Threat actors with ties to Pakistan have been linked to a long-running malware campaign dubbed Operation Celestial Force since at least 2018.

The activity, still ongoing, entails the use of an Android malware called GravityRAT and a Windows-based malware loader codenamed HeavyLift, according to Cisco Talos, which are administered using another standalone tool referred to as GravityAdmin.

The cybersecurity attributed the intrusion to an adversary it tracks under the moniker Cosmic Leopard (aka SpaceCobra), which it said exhibits some level of tactical overlap with Transparent Tribe.

"Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent," security researchers Asheer Malhotra and Vitor Ventura said in a technical report shared with The Hacker News.

GravityRAT first came to light in 2018 as a Windows malware targeting Indian entities via spear-phishing emails, boasting of an ever-evolving set of features to harvest sensitive information from compromised hosts. Since then, the malware has been ported to work on Android and macOS operating systems, turning it into a multi-platform tool.

Subsequent findings from Meta and ESET last year uncovered continued use of the Android version of GravityRAT to target military personnel in India and among the Pakistan Air Force by masquerading it as cloud storage, entertainment, and chat apps.

Cisco Talos' findings bring all these disparate-but-related activities under a common umbrella, driven by evidence that points to the threat actor's use of GravityAdmin to orchestrate these attacks.

Cosmic Leopard has been predominantly observed employing spear-phishing and social engineering to establish trust with prospective targets, before sending them a link to a malicious site that instructs them to download a seemingly innocuous program that drops GravityRAT or HeavyLift depending on the operating system used.

GravityRAT is said to have been put to use as early as 2016. GravityAdmin, on the other hand, is a binary used to commandeer infected systems since at least August 2021 by establishing connections with GravityRAT and HeavyLift's command-and-control (C2) servers.