September 2024 will be remembered for a string of deadly attacks involving exploding pagers in Lebanon, killing and injuring several people. The blasts killed at least 37 people, including two children, wounded more than 3,000 and deeply unsettled common citizens. These explosions in mid-September are widely blamed on Israel, which has neither confirmed nor denied involvement. But then, the denial is not new and is on the expected lines from any country.
Remember Stuxnet? Around 14 years ago,
Stuxnet, a highly sophisticated computer worm, targeted the centrifuges of Iran's uranium enrichment facilities for covertly derailing the country's then-emerging nuclear programme. Even today, we still do not know who created this worm which could cause havoc on targetted hardware (Stuxnet attacked programmable logic controllers or PLCs used in centrifuges). But if cybersecurity researchers, the Iranian government and vocal internet users are to be believed, the two prime suspects behind Stuxnet are the US and Israel.
Security solutions provider
Sophos, in its latest report, has warned about multiple interlinked nation-state adversaries based in China targeting perimeter devices. "The attackers used a series of campaigns with novel exploits and customised malware to embed tools to conduct surveillance, sabotage and cyberespionage as well as overlapping tactics, tools and procedures (TTPs) with well-known Chinese nation-state groups including Volt Typhoon, APT31 and APT41. The adversaries targeted both small and large critical infrastructure and government targets, primarily located in South and South-East Asia, including nuclear energy suppliers, a national capital's airport, a military hospital, state security apparatus, and central government ministries."
The 'Pacific Rim' report from Sophos shares an example of the new-age sophisticated attack. It says, "On 4 December 2018, a low-privileged computer connected to an overhead display began to scan the Sophos network-seemingly on its own-at the India headquarters of Cyberoam, a company Sophos acquired in 2014. Sophos found a payload quietly listening for specialised inbound internet traffic on the computer that contained a novel type of backdoor and a complex rootkit - 'Cloud Snooper'."
The report also highlights the persistence of Chinese nation-state adversaries and their hyper focus on compromising perimeter, unpatched and end-of-life (EOL) devices, often via zero-day exploits they are creating for those devices.
"The reality is that edge devices have become highly attractive targets for Chinese nation-state groups like Volt Typhoon and others as they look to build operational relay boxes (ORBs) to obfuscate and support their activity. This includes directly targeting an organisation for espionage or indirectly leveraging any weak points for onward attacks – essentially becoming collateral damage. Even organisations that are not targets are getting hit. Network devices designed for businesses are natural targets for these purposes – they are powerful, always on, and have constant connectivity," says Ross McKerchar, chief information security officer (CISO) at Sophos.
Edge devices are used in many different applications, including the Internet of Things (IoT) and real-time applications. Edge devices can come in many different forms, including sensors, smartphones, medical devices, scientific instruments, autonomous vehicles, automated machines, routers, routing switches, integrated access devices (IADs), and multiplexers.
According to Mr McKerchar, the modus operandi of China-based adversaries is creating long-term persistence and complex obfuscated attacks. "What we tend to forget is that small- and medium-sized businesses-those that form the bulk of the supply chain for critical infrastructure are targets since they are often the weak links in this supply chain. Unfortunately, these businesses often have fewer resources to defend against such sophisticated threats. Further complicating matters is the tendency for these adversaries to gain a foothold and dig in, making it hard to evict them."
The 'Pacific Rim' report also shares an interesting episode about receiving a zero-day remote code execution vulnerability as part of its bug bounty program. "After deeper analysis, Sophos determined the person reporting the exploit may have had a connection to the adversaries. This was the second time Sophos received a suspiciously timed 'tip' about an exploit before it was used maliciously!"
While security service-providers like Sohpos and state-run cybersecurity agencies are warning about increased dangers from Chinese nation-state groups, unfortunately, several countries, including India, are not ready to even acknowledge it or are not paying much attention.
Often, those who are expected to be 'logic' controllers or rulers behave in a high-handed fashion or reciprocate with a knee-jerk reaction. This phenomenon is not limited to India and can be seen worldwide with the same result.
For example, someone in the Union government wanted to teach a lesson to China over intrusion into our borders. What did they do? They banned Chinese mobile apps! It is nothing but a futile knee-jerk reaction. In cyberspace, banning an app or geo-fencing (restricting access based on location) portals are useless for very basic and simple reasons.
Even if you ban an app, there are hundreds of websites that provide the APK (Android package kit) files of the same app for free. APK is a file format used by the Android operating system to distribute and install mobile apps and middleware.
Also, those who (still!) believe in geo-fencing portals or apps may not have heard about virtual private network (VPN) that bypasses internet protocol (IP) addresses. While a VPN is a service that encrypts your internet traffic on unsecured networks to ensure your digital privacy, it can also extend access to a private network (read: geo-fenced) to users who do not have direct access to it.
While for common people,
IoT devices like a 'smart' (read: internet access) TV or light bulb are a thing of convenience, for service and device providers, this creates an opportunity to measure, collect and analyse an ever-increasing variety of behavioural statistics. The same IoT devices also allow cybercriminals remote spying through always-on microphones or cameras (if built-in), hacking and collecting personal details. Not to forget remote code execution as we witnessed in the case of pager explosions in Lebanon.
In other words, common users of edge devices or IoTs have no option but to keep vigil and implement best security practices to safeguard from State-sponsored attacks.
Here are a few suggestions...
1. Use strong authentication: Use multi-factor authentication (MFA) and strong password policies to reduce the chances of unauthorised access to systems and devices.
2. Limit access: Ensure that only authorised users have access to the system and device. This is especially important for devices (for e.g. ‘smart’ speakers or CCTV cameras) that allow remote access or code execution.
3. Switch off: Completely shut down the IoT device or system when not needed. This prevents the leakage of personal data and information.
4. Automate updates: Where possible, enable automatic security updates on systems and devices to ensure vulnerabilities are patched as soon as fixes are released.
5. Firewalls: Use a network firewall to limit inbound and outbound traffic to only trusted sources. If possible, restrict access to management or sensitive ports.
Stay Alert, Stay Safe!