First Documented Case of Cyber Espionage?

Sunday, January 15, 2012

Richard Stiennon


Update: Symantec Hacked in 2006? Claim Raises More Questions

Symantec now claims that the company's own networks were in fact breached back in 2006, leading to the loss of proprietary product data: " investigation into the matter had revealed that the company's networks had indeed been compromised"...

*   *   *

Update:  Hacker to Release Symantec's PCAnywhere Source Code

"YamaTough, spokesperson for the hacktivist group “The Lords of Dharmaraja”, informed Infosec Island of plans to release source code for Symantec's PCAnywhere. The release is to be made prior to the threatened exposure of the full source code for the Norton antivirus..."

*   *   *

There have been so many examples of cyber espionage that it is now the norm to just accept that it is rampant. 

MI5 in the UK, the German Chancellery, Titan Rain, GhostNet, the Pentagon email hack, Google Aurora – all are examples of  cyber espionage, most on the part of China. But to date no evidence has been put forth other than claims from the injured parties.

Thanks to reporting  from Anthony M. Freed of Infosec Island, we have learned that a group of Indian hackers that align themselves with Anonymous (the catch all movement for hackers these days) have breached several Indian government servers and uncovered gold.  If taken at face value their hacking has revealed:

1. The Indian government has source code for Symantec’s AV software, albeit of 2006 vintage.

2. The Indian government is strong arming cell phone manufacturers to provide back doors into their handsets.

3. The Indian government is in possession of confidential internal communications from the US-China Economic and Security Review Commission (USCC).

And now in a new development we learn from Freed:

“Now YamaTough has provided potentially damning evidence that the Indian government is actively engaged in espionage efforts targeting not only the USCC, but potentially thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.”

YamaTough is part of The Lords of Dharmaraja hacking group in India.

You can see the difference between these unfolding events and previous claims of cyber espionage. The exfiltration of terabytes of data on the US Joint Strike Fighter or last March’s theft of “24,000 documents” has never been proved. They are just claims from admittedly credible sources. 

Thanks to a hacker group in India, Infosec Island has source material that demonstrates wide spread cyber espionage on the part of the Indian Government which the hackers may publish.

This is a historically significant development for those of us who track cyber espionage.

Cross-posted from IT-Harvest

Possibly Related Articles:
Infosec Island Symantec Cyber Security Network Security Anonymous National Security hackers Norton Source Code United States India Digital Espionage Richard Stiennon The Lords of Dharmaraja YamaTough Anthony M. Freed
Post Rating I Like this!
Jeffrey Carr I think that you're assuming facts not in evidence, Richard. There's no evidence to support Yama Tough's claim that India is intercepting cell phone communications via a backdoor. There is evidence that Yama Tough's "evidence" is fraudulent (see my article on that). In fact, it's doubtful that Yama Tough is even Indian. Mostly likely he's Pakistani and is engaging in a campaign to discredit the Indian gov't.
Avinash Rana I agree with Jeffrey Carr! Infosec Island authors are keep on saying that YamaTough is a part of some Indian Hacking group, although they don't have enough evidence of the same. Merely taking an interview of the person online won't prove that he/she is an Indian or from India. Even if you have had any telephonic conversation then also it do not prove the same thing.

I am sure that this is guy is either from China or from any other Asian country. If you'll see the name of this guy then it purely suggest that he is not from India. Yama seems to be a Buddhist name. Do not compare it YAM (A Hindu God). It's a very unusual name opted by this guy. Even it could be possible that he is just a paid puppet, who is just babbling over your website website whereas the real mastermind behind this activity was somewhere else and enjoying the show.

I must say that you guys are assuming facts and not evidence, and doing the same thing which YamaTough is doing.. A publicity!

Don't forget that probably they are using your blog/website just to discredit Indian govt. and trying to create tensions among countries.
Bobby Mann Who are these people that run or contribute to InfoSec Island? Are they even journalists? Simply reciting the views of one disgruntled individual as "fact"? If anyone believes this "National Enquirer" reporting, then they are nuts. Fact is, we have no facts other than some stolen code and the views of some nutjob. I agree, that this is likely not someone from India - he goes out of "his" way to make spelling and grammar errors to make people think English is not "his" first language. Sorry Yama, seems like nobody is buying the crap you are spewing. Your tactics are flawed.
Anthony M. Freed @Avinash - Thanks for your comments. I would, however, like to point out that we are simply reporting what YamaTough has stated, and are not asserting that the statements are indeed fact.

Note the line "usernames and passwords provide strong evidence that the Indian government may be actively engaged in espionage directed against the US government," includes the word "may" which connotes the possibility that it may be the case, but leaves open the possibility that it may not be.

Also note the line from a previous article that reads "potentially damning evidence that the Indian government is actively engaged in espionage efforts" - paying particular attention to the word "potentially".

These statements are no more or less speculative than any other assumptions that have been made based on the limited evidence available, such as assertions that YamaTough is not Indian or that these leaks are a plot by the Chinese to damage US-Indian relations.

The point of theses articles is to further document YamaTough's motivations, whether they in time reveal themselves to be true or false, and these articles provide more insight into the hacktivist than any other currently available information.
Bobby Mann But Anthony, your headlines and statements are so laden with Drama and Effect! A good journalist backs up a story with facts and information from all sides, and doesn't just write sensationalism... unless you are the National Enquirer. Is the goal of InfoSec Island to be the National Enquirer of Security Information Reporting? If so, I commend you on your excellent reporting.
Anthony M. Freed Titles to articles are just that: titles. The content of the articles are much more substantive, which is why we include them along with the headline. As for drama, the leaking of source code and the possession of US government logins are not imaginary events such as one might find in a publication like the National Enquirer, so your "argument" is stupendously unfounded.
Bobby Mann you know for FACT that these US logins are legit? Please back this up with a comment by someone official, otherwise it's not FACT. I dare say this is not even drama, given Yama refuses to backup he has more than some stolen/leaked source code. You should be asking for proof that he has code from other companies, then that is really a story. Still Sensationalism.
Javvad Malik @bobby, you raise some good points about checking facts.

I'd like to focus on some other issues that this has bought up.

Firstly someone (anyone) can claim to have 'hacked' into any organisation / government etc. and claim to have obtained source code, backdoors, login ID's etc. Whether that is true or not is another issue. What is fact though, is that it is extremely difficult (if not impossible) for anyone to conclusively refute such claims.

This is the fundamental challenge we face today. That nobody is sure their systems are secure. Companies and Governments are such bureaucratic minefields, one hand doesn't know what the other is doing. Otherwise the affected parties would come out and flat out sincerely state that this is a total fabrication.

So we have a number of scenario's, the hacker group may be telling the truth, they may be lying, there may be a half truth buried in there somewhere. By bringing these issues up for the attention of infosec professionals (who are the primary users of this website), it allows us to create realistic threat scenario's and models that we possibly haven't considered in the past and everyone gets the chance to air their views, be it in the form of a comment or a blog post, a factual piece, a research publication or a simple opinion piece or rant.

Personally, I hold not just the articles, but the comments that follow of equal value and importance because they show many ways of looking at the same issue.
David Noergaard I just read a news bulleting that is going out from Symantec that states their investigation has revealed this is NOT a theft of code from the Indian govt. but from Symantec dating back to an incident in 2006. I think this will definitely change the story for anonymous. They have now had their hand called.
Jeffrey Carr Thanks, David. Can you point to a source for the Symantec announcement?
David Noergaard Jeffrey i can't but the text that is going out reads
"Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure is the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton AntiVirus Corporate Edition; Norton Internet Security; Norton Systemworks (Norton Ultities and Norton GoBack); and pcAnywhere. Due to the age of the exposed source code, except as specifically noted below, Symantec customers - including those running Norton products - should not be in any increased danger of cyber attacks resulting from the incident. Customers of Symantec pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow the general best practices. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information. Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring."
Krypt3ia Alrighty, time to weigh in here. I have already tweeted at Richard about this but let me put this down here for posterity...

1) The Cuckoo's Egg happened a long time ago. It was documented in a BOOK.

2) YamaTough has another agenda and is now what he/they seem

3) The evidence presented by YT is speculative at best. No provenance.

4) See #1

The end.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.