Latest News

How India Inc. is Losing It’s Cyber-security War

In 2017 as per one of the report, a leading IT firm McAfee Labs counted 311 publicly security incidents. The reports also mentioned that security teams nowadays face 244 new cyber threats every minute.

Recently, India’s top two private banks, one of the top media company, stock exchange and a top telecom company all have been victims of major cyber thefts and cyber-attacks and ransomware^[1] knew as Wanna cry and Petya infected thousands of companies.

Given the lack of any regulations regarding disclosure – except in financial services where it is mandated by the Reserve Bank of India^[2] – companies hit by cybercrime hide the incidents even in cases where customers have been impacted. So the true extent of the impact on India Inc. never comes out.

As per the views of Cyber experts: Day by day Indian industry is becoming vulnerable because of changing threat profile due to resource-rich nation states now targeting companies.

Increasingly there is evidence that critical national infrastructure is being probed by cyber agents from other nation-states. A few years ago, the US intelligence agency NSA had picked up the trend of Chinese hackers targeting Indian pharmaceutical and IT companies and even discussed specific inputs with companies.

In a recent attack, cybercriminals suspected to be based out of China managed to break into two of India’s most prominent information technology firms. In which one of the company detected the cyber attack on its servers within hours and was able to stop any data breach, while the other IT Firm could only spot the intrusion only a week later.

Since 2012, international countries which have economic interests in India have been silently active. There is a sectorial penetration which is real and companies are not as ready as one would expect it to be. Sectors like IT, pharma, chemicals, defence, and energy are the main target.

The nation-state Cyber security threat is becoming very real. Recently a defense contractor was compromised after an employee downloaded excel sheets containing malicious code from an Indonesian institute.

During investigations, it was found out that Pakistani intelligence agencies were quietly pulling out data from the contractors’ systems. The North Korean hacking group known as Lazarus was likely behind a recent Cyber security campaign targeting organizations across multiple countries and some Indian banks were hit too.

In sectors where competitive intensity is high, cybercriminals now operate with both espionage and criminal intent. Earlier cybercriminals used to focus only on stealing information’s from corporates and used to threaten them but now they are a weaponizing software by installing malicious scripts and disrupting work.

In one of the case, two Indian conglomerates were forced to pay $5 million each in order to prevent hackers from disclosing all the internal information that outed their wrongdoings. The cybercriminals patiently accessed the IT systems for two to three years before they acted on it.

In yet another case of the cyber attack, hackers seized control of computers of three banks and a pharmaceutical company, and then they demanded a ransom in bitcoins for the decryption keys to unfreeze them. The attackers accessed the system by compromising IT administrators’ computers. In all four cases, the hackers are said to have used the ransomware known as Lechiffre. Cyber hackers breached Union Bank of India security systems but the money trail was traced and the movement of funds was blocked.

Given the nature and scale of the threat, Indian companies are not investing enough insecurity. For example, global banks spend up to 15% of their IT spends on IT but in India, it’s hardly 2-3% of the IT security budget.

But now senior management has started taking notice given the loss potential and also the reputational risk. “We have to think security first along with digital-first.

In every senior management meetings, the security issue is being brought up given the high risks involved,” said Joydeep Dutta, group chief technology officer at Central Depository Services India Limited.

Even when the large companies beef up security, though, the vendor or distributor base down the chain remains vulnerable and the entire ecosystem is at risk. In the Reliance Jio case, for instance, a vendor based in Rajasthan had built an interface on top of the company database that allowed some people to access their details from the company’s database. A lot of Aadhaar leaks are similar, according to experts. Some personal data can be accessed by different users but the biometric database and other key data remain safe. “We are sitting on a time bomb. Companies are not looking at the entire ecosystem.”

One reason for Indian companies getting affected by cyber-attacks is the rampant use of unlicensed software and, in some cases, underpaid licenses, which make them sitting ducks.

Increasingly, the IT maintenance, operations, and support ecosystem are becoming a key area of vulnerability due to multiple levels of outsourcing dictated by cost compulsions. A Delhi based FMCG Company found out a disgruntled vendor employee used an admin password to create a false trail of evidence to implicate the company IT senior who wouldn’t hire him on company rolls. That employee used his own desktop to log into the IT manager’s mail and that combined with TV camera evidence was used to bail him out.

In one of the case, pertaining to a tower company, an IT admin figured out how banking switching system and company’s ERP software recorded financial transactions. He changed the bank account number and IFSC code using admin login and transferred Rs. 4 crores in small-value transactions to his account. A worried supplier, who couldn’t reconcile his accounts, complained to the CEO and finally, the employee was caught.

Using cyber tools for espionage is fast becoming common. In a family feud between two brothers who inherited a large fabric manufacturing business and later branched out on their own, the elder brother decided to target the better of a younger brother. Using Cyber security assets he started disrupting the younger brother’s business.

Suddenly systems would be unavailable, suppliers and customers wouldn’t get important communication and designs were being lifted, till the younger one ordered a forensic investigation.

In investigations, a key trend that’s emerging is that a big part of the problem is a lack of understanding of security risks among senior management and their attendant staff.

A phishing exercise carried out by PwC for senior management of a large bank found out that more than 80% of secretarial staff fell for the bait compromising the system. Hackers targeted an MNC CEO by finding out details about his secretary from social media and then sent her a mail with malicious code that discussed her boss’ upcoming travel plans. The secretary opened the attachment compromising the CEO’s account.

Hacking companies is now easier than ever before. “The cost of entry into cybercrime is very low and there are lots of online tools available. One doesn’t even need to go out to learn to hack; there are YouTube videos giving step-by-step tutorials. Also, the fact that the online world gives a person a certain sense of anonymity, which people find empowering”.

To compound the woes of the corporates, the outdated regulations are not helping.

“In the Indian IT Act, financial fraud is a bailable offense. Criminals are not afraid because the penalties are small. After 2008, the Act has not been amended, so the regulations are not keeping pace with the changing cyber scenario”.

Indian employees are particularly susceptible to large-scale adoption of smartphones, cheap data rates and a habit of downloading all sorts of apps. Recently, cybercriminals uploaded an app at Google Play that gave people tips and tricks to find more Pokémon’s, and subsequently, a lot of people ended up infecting their phones.

With the whole Bring Your Own Device or BYOD trend catching on, IT managers have been struggling with the Cyber security aspect. In a large pharma firm, the head of the research’s laptop was infected by hackers from an enemy nation and for two and a half years they gleaned all company and personal information from the personal laptop. “Mobile is the most vulnerable but gets the least attention by the corporates”.

According to the McAfee report, new malware samples leaped 67% to 52 million, new ransomware samples increased 54% to 10.7 million samples and total mobile malware grew 61% in the past four quarters to 18.4 million samples. Looks like Singh and his team are staring at a busy season ahead.

Some of the Famous Cybercrime Cases of India: