VIF Cyber Review: December 2021

NATIONAL

Government to set up a unified Cyber Security Task Force by March 2022

Considering the growing threat of cyber-attacks, furthering national security, the Government of India (GoI) is in the process to establish a unified national-level Cyber Security Task Force (CSTF), with a significant focus on the cyber risks emanating from the telecom sector. A sub-department for telecom security will be setup under the unified CSTF, likely by March 2022.

At present, the cyber threats are handled by the Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY). As the cyber threats are more dynamic and sophisticated, the government felt the need to have a specialised task force that works on domestic inputs on cyber threats and analyses the information received from allied nations from across the world.[1]

“India is keen to welcome all Semiconductor firms to explore investment opportunities in India”: Minister of State for Electronics & IT

“After India announced a ₹ 76,000 crore Semiconductor scheme, there is an interest level among global semiconductor firms to made investments in India. India is looking forward to having Intel, Taiwan Semiconductor Manufacturing Company (TSMC), Samsung and other technology major firms investing in the country,” said Minister of State for Electronics & Information Technology (MoS-IT)— Rajeev Chandrashekhar. The investment-related guidelines will be issued in early January 2022 on modalities of applying for semiconductor incentives, and the applicants will be given about 45-90 days to respond.

In December 2021, the Government of India (GoI) approved the ‘semiconductor scheme’ to promote semiconductor and display manufacturing in India. The scheme is expected to visualise India’s ambitions to be self-reliant in electronics manufacturing and result in at least 35,000 jobs apart from indirect employment for 100,000 people. Under the scheme, incentives will be lined up for firms engaged in silicon semiconductor fabs, display fabs, compound semiconductors, silicon photonics, sensors fabs, semiconductor packaging, and design. In the next four years, the semiconductor incentive scheme will likely bring investments of around ₹ 1.7 lakh crore and provide 1.35 lakh jobs in India.[2]

India-Vietnam signed agreements to strengthen cooperation in the field of Information Technology

During his visit to India on 16 December 2021, Vietnam’s Minister for Information and Communication— Nguyen Manh Hung, met India’s Minister of State for Electronics and Information Technology (MoS IT) & Skill Development and Entrepreneurship— Rajeev Chandrashekhar and exchanged views on several initiatives to strengthen the digital economy and further enhance Information & Communications Technology (ICT) trade and cooperation between India and Vietnam.

Both Ministers signed the India-Vietnam Memorandum of Understanding (MoU) which intends to promote active cooperation and exchange between private stakeholders, Governments, and institutions in enhancing capacity building and Public-Private organisations of both nations in the field of ICT. India’s ‘digital government’ initiatives and the fast-emerging technology start-up ecosystem have shown resilience and maturity not only to meet the challenges of this Coronavirus pandemic but are now role models for other developing and less developed countries.[3]

MeiTY organised the ‘25th CISO Deep Dive’ training programme under the Cyber Surakshit Bharat initiative

With a vision of strengthening the cyber security ecosystem in Government establishments under India’s Cyber Surakshit Bharat initiative, the National e-Governance Division under the Ministry of Electronics & Information Technology (MeitY) organised a six-day ‘Deep Dive’ training programme for Chief Information Security Officers (CISOs) and frontline Information Technology (IT) officials from various Ministries and Departments, Government and Semi-Government organisations from Central & State governments, Public Sector Undertakings (PSUs), Banks, and other establishments.

The training programme equipped CISOs with a better understanding of the emerging cyber threat landscape and best practices in cyber security to translate the benefits of secure cyberspace to respective organisations and citizens. “It is expected that the training will provide the necessary exposure to the latest tools and technologies in the cyber security and requirement for legal compliance. The knowledge gained during training can help the CISOs and other participants to prepare Cyber Security Policies (CSPs) and Cyber Crisis Management Plan (CCMP) for respective organisations,” said Tulika Pandey— Director at Cyber Security Division, MeitY.

Highlighting the trend of cyber-attacks in India, Amitesh Kumar Sinha— Joint Secretary, e-Governance at MeitY, informed that “cyber fraudsters are using the COVID-19 pandemic as a cyber-attack vector for their notorious gains. During the COVID-19 time, there has been a surge in cyber incidences. The primary attacks have been phishing attacks to steal information and drop malware.  The attackers devise new strategies to target victims with scams or malware campaigns. This workshop is an opportunity to understand how CISOs and other IT officials should approach this entire problem.”[4]

Joint Parliamentary Committee submitted report on the ‘Personal Data Protection Bill 2019’

On 16 December 2021, the Joint Parliamentary Committee (JPC) submitted their report on the ‘Personal Data Protection Bill 2019’, in both Houses of the Parliament— the Upper House (Rajya Sabha) and the Lower House (Lok Sabha). The JPC report— running over 500 pages has proposed several key amendments. One of the key recommendations of the report is that non-personal data be included in the Bill. “As soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act to be regulated by the Data Protection Authority (DPA),” read the report. Emphasising on the data localisation, the report recommends that no social media platform be permitted to operate in India unless the parent company in-charge sets up an office in India.

Along with consideration on key issues, such as statutory body for media regulation, safety of financial transactions, data localisation, and data breaches, the report recommended that the Bill shall be named as ‘Data Protection Bill 2019’. The Bill is likely to be discussed in the Budget Session of the Parliament.[5]

Indian CERT issued advisory on multiple vulnerabilities in Apache Log4j

On 10 December 2021, The Indian Computer Emergency Response Team (CERT-In) issued advisory on multiple vulnerabilities— Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-44832, CVE-2021-4104, and CVE-2021-45046), Denial of Service Vulnerability (CVE-2021-45105) discovered in Apache Java logging library Log4j which could allow a remote attacker to gain full access or control and perform a Denial of Service (DoS) attack on the targeted servers. The vulnerability existed in ApacheLog4j versions due to failure to protect from uncontrolled recursion from self-referential lookups. A remote unauthenticated attacker could exploit this vulnerability by injecting a crafted malicious payload that contains recursive lookup, resulting in a DoS condition.[6]

According to Check Point – a cyber security firm, the Log4j vulnerability prompted to 100 new hacking attempts every minute. The firm had monitored the attempts to exploit the vulnerability on over 40 per cent of corporate networks worldwide. The Apache Software Foundation—which oversees the Log4j code, released a fix for the vulnerability, along with rating the issue “10”— the highest level of seriousness. “This is the third really serious flaw that has affected a wide range of Internet services: Heartbleed in 2012, ShellShock in 2014 and Log4Shell in 2021,” said John Graham-Cumming— Chief Technology Officer (CTO) at the Cloudflare.[7]

Separately, Microsoft warned that some nation-state supported hacking groups are using Log4shell. “Multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey, are utilising the vulnerability for activities from ‘experimentation’ to targeted attacks,” read the statement released by the Microsoft.[8]

INTERNATIONAL

UK and US intelligence chiefs discussed enduring combined cyber operations

In the meeting— ‘Cyber Management Review’ hosted at Fort Meade, Maryland, United States (US), Sir Jeremy Fleming— Director, United Kingdom (UK)’s Government Communications Headquarters (GCHQ) and General Sir Patrick Sanders— Commander of the UK Strategic Command, discussed on the joint commitment to disrupt and deter emerging cyber threats, with General Paul Nakasone— Director, United States (US)’ National Security Agency (NSA) and Commander of the US Cyber Command.

The annual forum enables the UK and US to develop world-class cyber capabilities, improve cyber defences, and impose costs for malicious cyber activity. “We [UK & US] agree that strategic engagement in cyberspace is crucial to defending our way of life by addressing these evolving threats with a full range of capabilities. To carry this out, we will continue to adapt, innovate, partner, and succeed against evolving threats in cyberspace,” read the joint statement released by the UK and US intelligence and defence chiefs.[9]

Japanese firms targeted by Chinese state-backed hackers with ‘Flagpro’ malware

China’s state-supported ‘BlackTech’— a cyber-espionage APT (Advanced Persistent Threat) group has targeted several Japanese companies from various sectors, including defence technologies, media, and communications, using malware— ‘Flagpro’. According to the report submitted by NTT Security, Flagpro malware was deployed against Japanese firms for more than a year since October 2020.

The threat actor deployed Flagpro in the initial stage of an attack for network recce, evaluating the target’s cyber environment, and downloading second-stage malware and executing it. As modus operandi, a phishing e-mail crafted for the target organisation, pretending to be an e-mail from a trustworthy partner. The e-mail carries a password-protected ZIP or RAR attachment that contains a Microsoft Excel file (.XLSM) equipped with a malicious macro. Running this code creates an executable in the start-up directory, the Flagpro.

Flagpro connects to the C2 server via HTTP and sends system ID details obtained by running hardcoded OS commands on its first execution. In response, the C2 server can send back additional commands or a second-stage payload that Flagpro can execute. The BlackTech APT was spotted by Trend Micro researchers in 2017 and is associated with China. The BlackTech APT generally targets Taiwan and occasionally attacks companies in Japan and Hong Kong to steal technology.[10]

Europol’s EC3 arrested a Romanian in connection with a Ransomware affiliate scavenging for sensitive data

In a joint operation with Romanian National Police (Politia Romana) and the United States (US)’ Federal Bureau of Investigation (FBI), the Europol’s European Cyber Crime Centre (EC3) arrested a Romanian national in connection with a Ransomware affiliate targeting high-profile organisations and companies for their sensitive data.

After compromising the network of a large Romanian IT company that delivers services to clients in retail, energy, and utilising sectors, the cyber-criminal has deployed ransomware and stealing sensitive data from the company’s clients in Romania and abroad before encrypting their files. Later, the cyber-criminal asks for a hefty ransom payment in cryptocurrency, threatening to leak the stolen data on cybercrime forums should his demands not be met.[11]

Endnotes

[1]Doval, Pankaj. “Unified cyber security task force by March: Source”, The Economic Times- Telecom, 20 December 2021, Available from: https://telecom.economictimes.indiatimes.com/news/unified-cyber-security-task-force-by-march-source/88381159 . Accessed on 23 December 2021.

[2]PTI. “We’ll love to see Intel, TSMC, Samsung, and other semiconductor giants invest in India: MoS IT”, The Economic Times- Telecom, 29 December 2021, Available from: https://telecom.economictimes.indiatimes.com/news/well-love-to-see-intel-tsmc-samsung-other-semiconductor-giants-invest-in-india-mos-it/88556288 . Accessed on 31 December 2021.

[3]Ministry of Electronics & IT, India-Vietnam signs agreement to extend cooperation in the field of Information Technology, Release ID: 1782377 (India, 2021), Available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1782377 . Accessed on 20 December 2021.

[4]Ministry of Electronics & IT, MeitY organises 25th CISO Deep Dive Training program under Cyber Surakshit Bharat initiative, Release ID: 1782189 (India, 2021), Available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1782189 . Accessed on 20 December 2021.

[5]Lok Sabha, Report of the Joint Committee on the Personal Data Protection Bill, 2019’, (India, 2021), Available from: https://prsindia.org/files/bills_acts/bills_parliament/2019/Joint_Committee_on_the_Personal_Data_Protection_Bill_2019.pdf . Accessed on 30 December 2021.; Sharma, Mohit. “Joint Committee report on Data Protection Bill tabled in Both Houses of Parliament: Details”, India Today, 17 December 2021, Available from: https://www.indiatoday.in/india/story/joint-committee-report-data-protection-bill-tabled-houses-parliament-details-1888747-2021-12-17 . Accessed on 30 December 2021.

[6]Indian Computer Emergency Response Team (CERT-In), CERT-In Advisory CIAD-2021-0046: Multiple Vulnerabilities in Apache Log4j, (India, 2021), Available from: https://cert-in.org.in/. Accessed on 31 December 2021.

[7]Tidy, Joe. “Flaw prompts 100 hack attacks a minute, security company says”, BBC News, 13 December 2021, Available from: https://www.bbc.com/news/technology-59638308 . Accessed on 31 December 2021.

[8]Microsoft Threat Intelligence Centre (MSTIC), “Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability”, Microsoft, 11 December 2021, Available from: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ . Accessed on 30 December 2021.

[9]Government Communications Headquarters, UK and US intelligence chiefs commit to enduring combined cyber operations, (United Kingdom, 2021), Available from: https://www.gchq.gov.uk/news/cyber-management-review-2021 . Accessed on 25 December 2021.

[10]Toulas, Bill. “New Flagpro malware linked to Chinese state-backed hackers”, Bleeping Computer, 28 December 2021, Available from: https://www.bleepingcomputer.com/news/security/new-flagpro-malware-linked-to-chinese-state-backed-hackers/. Accessed on 01 January 2022.

[11]Europol, Arrest in Romania of a ransomware affiliate scavenging for sensitive data, (The Netherlands, 2021), Available from: https://www.europol.europa.eu/media-press/newsroom/news/arrest-in-romania-of-ransomware-affiliate-scavenging-for-sensitive-data . Accessed on 01 January 2022