New Delhi: Last month, the Intelligence Bureau wrote to the Ministry of Railways, alerting it about computer systems being compromised by Pakistan-based “cyber actors”.
The letter written in May, which has been accessed by ThePrint, stated: “It is learnt that (04) Internet connected computers in use at different offices of Indian Railways has (sic) been compromised by Pakistan based cyber actors (APT 36 Malware campaign). Data from the compromised computers are being constantly sent to servers abroad.”
The details of the computers have been attached separately, the IB’s letter added. A highly placed source told ThePrint that while three of the computers identified are located in the ministry, one is the personal computer of a top vigilance officer from the railways.
Asked for a comment by ThePrint, Ministry of Railways spokesperson D.J. Narain said the issue was “very old”, without specifying how old it was. He added: “We have nothing more to say on this. All we can say is we are all safe.”
Also read: Pakistan-linked hackers pose as Indian govt, carry out cyberattacks under Covid-19 cover
Spear-phishing
The IB’s letter further stated that “APT36 cyber threat actors are targeting various government sectors including defence, central police organisations, education, healthcare etc”.
“The modus operandi is to deliver Crimson RAT (Remote Access Trojan) malware embedded in MS Office documents to steal information from the victim computers,” it stated, adding that Covid-themed “spear-phishing” emails are being used to deliver this malware into the victims’ computers.
Spear-phishing is described as the act of sending “emails to specific well-researched targets while purporting to be a trusted sender”. Security and risk management news website CSOOnline quoted Aaron Higbee, co-founder and chief technology officer of anti-phishing firm Cofense, as saying: “Spear-phishing is a campaign that was purposefully built by a threat actor with a goal of penetrating one organisation, and where they will really research names and roles within a company.”
Recommendations
The IB letter also went on to recommend the course of action the Indian Railways should take on this issue.
“Indian Railways may identify the infected computers and take immediate steps to sequester, cleanse and secure the computers,” the letter stated.
It advised immediately disconnecting the infected computers from LAN/internet, changing passwords of all email and online services from another secure computer, formatting the hard disks of the infected computers after taking back-ups of data files, re-installing operating systems and applications from clean software, and scanning back-up data for viruses before restoring it.
Also read: How hackers broke into WHO computers by posing as journalists, researchers