Exclusive: Indian Intelligence Infiltrated US Government Networks

Tuesday, January 10, 2012

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

Update: Symantec Hacked in 2006? Claim Raises More Questions

Symantec now claims that the company's own networks were in fact breached back in 2006, leading to the loss of proprietary product data: "...an investigation into the matter had revealed that the company's networks had indeed been compromised"...

*   *   *

Update:  Hacker to Release Symantec's PCAnywhere Source Code

"YamaTough, spokesperson for the hacktivist group “The Lords of Dharmaraja”, informed Infosec Island of plans to release source code for Symantec's PCAnywhere. The release is to be made prior to the threatened exposure of the full source code for the Norton antivirus..."

*   *   *

Update: Exclusive: Interview With Hacker YamaTough

*   *   *

The hacktivist responsible for exposing the source code for a leading antivirus product, as well as posting documents that showed the United States-China Economic and Security Review Commission (USCC) was possibly breached, has provided Infosec Island with evidence that Indian government operatives have successfully infiltrated other sensitive US government networks.

The saga began late last week when a hacktivist going by the handle “YamaTough” provided Infosec Island with a file alleged to contain the source code for Symantec’s Norton antivirus (NAV), which Symantec later confirmed was for older versions of the software dating from 2006.

The hacktivist claims the information was obtained from servers owned and operated by various ministries of the Indian government.

The news was quickly followed by reports on the posting of documents that appear to be from India’s Directorate General of Military Intelligence which refer to a program dubbed “RINOA SUR”, short for “RIM, Nokia and Apple” and “surveillance”.

The posted documents, which have not been confirmed as authentic by the Indian government, indicate that the mobile device producers may have voluntarily provided product information required for the development of backdoors that could be used for surveillance purposes in exchange for granting the companies access to the growing Indian marketplace.

Symantec has since denied providing the Indian government with the NAV source code, and both Apple and RIM have likewise denied any cooperation with Indian agencies, according to reports. Nokia has so far declined to comment on the allegations.

One of the alleged targets of the Indian intelligence operations is reported to have been the US-China Economic and Security Review Commission (USCC), created in the year 2000 to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China,” according to the organization’s website.

Each of these events individually could be considered of great importance from a security standpoint, and together they paint a picture of an overzealous Indian intelligence apparatus that provides a legitimate reason for concern by the US government.

Now YamaTough has provided potentially damning evidence that the Indian government is actively engaged in espionage efforts targeting not only the USCC, but potentially thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.

Infosec Island received what was described as merely a “sample”of what the group “The Lords of Dharmaraja” claim to have in their possession.

The data included sixty-eight sets of usernames and passwords for compromised US government network accounts which were said to have been acquired by hacking multiple servers belonging to India’s Ministry of External affairs (mea.gov.in) and the National Informatics Centre (nic.in), amongst others.

In the best interest of the federal, state and local municipalities and their constituents, Infosec Island will not publish the compromised account data. We have provided the information to the proper authorities and are fully cooperating with law enforcement, including delaying the publication of this article in an effort to avoid hindering their investigation.

YamaTough has also indicated the group is in possession of data from numerous companies other than Symantec, and they have yet to decide whether or not they will make the information public, though they have stated to Infosec Island that they may be inclined to do so.

As for the group’s motivations, YamaTough told Infosec Island that “The Lords of Dharmaraja” seek to undermine the current Indian “regime” in favor of a more solidly “pro-American” alternative, as well as lessening the influence of Indian telecom mogul Sunil Bharti Mittal, chairman and CEO of Bharti Enterprises.

“Our goal is Bharti Mittal go off political arena and stop manipulating our government,” the hacktivist stated.

“…my team is pro US, we fight for rights in our country we are not intentionally harm US companies (sometimes we do hack into since our botnet is worldwide) but we do not steal credit cards and make money of it and we do not do banks etc. Our mission - exposure of the corruption,” YamaTough continued.

“We wanna apologize for harm taken by the Symantec USCC and others, but without them being involved things which do occur in our state would never be covered and taken to the public, sometimes you have to sacrifice in order to achieve... and we do not approve sharing personal data and source codes with foreign governments. We want free and nice India and not police state,” YamaTough proclaimed.

Infosec Island will follow up this article with an exclusive interview with YamaTough that will contain more details of the group’s activities as well as analysis by leading security experts. Stay tuned…

Possibly Related Articles:
25197
Infosec Island Network->General
Federal
Government Symantec Espionage USCC Hacktivist Surveillance hackers Source Code United States India The Lords of Dharmaraja YamaTough RINOA SUR
Post Rating I Like this!
924ce315203c17e05d9e04b59648a942
Richard Stiennon Brilliant and careful reporting Anthony. Congrats. This could shake things up a bit.
1326290613
Default-avatar
Fred Fredburger from SANS:
--Symantec Acknowledges Source Code Accessed
(January 6, 2012)
Symantec has confirmed that attackers have stolen source code for two
of its products. Symantec said that the intrusion occurred on a
third-party's network, and that the code was for older versions of its
security products. One of the affected products has been discontinued.
The compromised code does not affect any of the company's Norton
products. The data thieves have posted portions of the stolen code to
the Internet.
http://www.theregister.co.uk/2012/01/06/symantec_source_code_theft/
http://www.computerworld.com/s/article/9223198/Symantec_confirms_source_code_leak_in_two_enterprise_security_products?taxonomyId=17
http://www.scmagazine.com/symantec-hackers-did-steal-code-but-its-old/article/222219/
http://www.wired.com/threatlevel/2012/01/symantec-source-code-leaked/

so if you believe Symantec and whatever evidence they provided, NO AV PRODUCTS WERE AFFECTED

Might want to mention conflicting information when publishing content. Good research provides good results.
1326292559
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Thanks for the 101 lesson in Google searches Fred. Perhaps a little more research and you would have seen that it was Infosec Island who provided the sample of source code to Symantec for analysis:

https://www.infosecisland.com/blogview/19200-Symantec-Confirms-Norton-AV-Source-Code-Exposed.html

And I doubt that any publicly traded company would run out an announce anything other than "nothing to see here, move along" after an event like this. The expectation of full disclosure in the midst of a crisis is naive at best.
1326293669
Default-avatar
Fred Fredburger That wasn't google 101, that was mailing list 101. #tryharder You may want to work on how you handle the criticism. As for comments, you may also have noticed the "if you believe Symantec" disclaimer, which would indicate I don't personally have 100% faith in Big Yellow, and that I am naive. I see 5 days ago you debated this very topic with Mann, resolved in favor of "no current code", assuming Mann can be believed. And yet no mention of it in the current missive.
1326294621
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker Masterful balance of interests, trust and CYA on the tightrope of verifying the hack, coordinating with Symantec and authorities and getting the story out without burning either side.
1326294664
6d117b57d55f63febe392e40a478011f
Anthony M. Freed What does "current code" even mean? I wonder what the likelihood is that all of the NAV code was completely re-written since 2006. It obviously was not between 1998 and 2006 according to the information that has been released. Anyway, the mention of NAV was only as background on the events leading up to this disclosure regarding Indian intel operatives infiltrating US government networks, so it was not meant to be encyclopedic. Laura has a good understanding of what we had to deal with to get even this much of the story out.
1326295226
Default-avatar
Fred Fredburger Alright then, keep at it. Mann's contact inside Big Yellow sounds like a lead...
1326295585
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Thanks Fred - I wish he would follow up on his assertions - mostly I just see rants and insults on his Twitter stream, so not sure if Mann is even a real player.
1326296041
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker Restraint on all sides is yielding useful information and an ongoing dialogue. Smacktalk is pointless here. Might as well go lecture Sabu and see where it gets you =)
1326296555
35f16f8d3796f94461a4d91cdacad514
Yama Tougher Who wants symantec story as of now ? Who cares about symantec as of now?
You guys should care not about one corp entity but the whole homeland security and why foreign entity should know how much tax you pay and what clarity are your contact lenses Laura and Fred?
1326302793
0ff0a77035f9569943049ed3e980bb0d
The spying of friendly nation-states against one another is common and expected. We spy on our friends as they spy on us.

The desire by India to target US-Chinese activities is not unusual. The US involvement with the Indian economy and beyond tied to the neighbor status of China present India with a need to understand all such relationships. The real questions for me center upon the deals made by RIM, Nokia and Apple with the Indian government. What share of the market was guaranteed by the government for each in exchange for these backdoors? What other backdoors have been provided by these three (and others) and to whom? What intent does the Indian government have with respect to using these backdoors and do they have the capacity to absorb the yottabytes of data they will collect? Will they contract the US to help manage this data or sell the data to other organizations? Will they use it to squash civil liberties?

Another thought comes to mind relative to Chinese requirements for the turnover of sourcecode by Microsoft, Checkpoint and others as a requirement to sell into Chinese markets. The Chinese are overt with their requirements while India may be otherwise. Regardless, pay to play is a requirement for many types of businesses operating in global markets. We call it bribery and graft. World markets see it as a norm for getting business done.

As for the sourcecode, my thoughts here are so what. Cybercriminals reverse engineer all such code as it is and signature based solutions cover 25% at best and maybe only 50% of the time. Sourcecode that is 6 years old is not a concern. How it was in India hands may be the question to pursue.

Usually when something of this sort is uncovered, it is merely the tip of the iceberg as to what is really going on. Steps taken (or not taken) by the US Government should give an indication of the seriousness of the activity.
1326302984
924ce315203c17e05d9e04b59648a942
Richard Stiennon Thank you YamaTough for chiming in. Point very well taken. Symantec is not the story.
1326304953
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Yes, we all spy on one another... And yes Symantec is not the story. What is more the story is what has been going on with Anonymous and activity like that of Yama. Things are coming out via hacks that show that corporations are selling technologies with backdoors or using their insight into their products to use them as a form of control over their populace.

That is the story...

Now, as to the provenance of the documents.. Well, lets see them and run some forensics on them to see what we get before saying they are authentic eh?

K.
1326331632
924ce315203c17e05d9e04b59648a942
Richard Stiennon We need a button Krypt3ia
1326336461
35f16f8d3796f94461a4d91cdacad514
Yama Tougher it would be stupid thinking that involved party admits to authenticity of the documents - they had hard time admitting to Paris leak, now they state that office Singh doesnt exist =) They will deny it anyway. Let's make USA decide what's authentic and what is not. We have still 1000 "leak" missles to launch at Indian government to prove otherwise. No matter how they deny it - there are independent parties who will get to a point where lying turns into "harakiri"
1326363344
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia @Richard Button?
1326377254
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia @Yama Who said anyone admitting to anything. Forensics is about proof. It may not be enough to prove the dox came from the source you claim. Hell, it would be easier if you released data you have proving your hack.
1326377418
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Well, it seems like this is all turning out to be #disinformation after all...
1326395495
D551093f5d8af724e17929c91eb90d63
Andrea Zapparoli Manzoni Cyber Deception 101:

1) infiltrate a group of wannabe hackerz, Anonymous-like but pro-US (d'oh!) Indian teen "patriots", and/or create them;

2) let them pwn some stuff and "find" some juicy, fake dox and old AV source code (2 loosely related findings are better than one and add veridicity to the whole story)

3) let them go out on the Internet shouting they got the evil Indian government blah blah

My ancestors used to say: "cui prodest"?
1326438890
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker The usual suspects ;)
1326458647
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.