The Recorded Future Blog
Hacktivism: India vs. Pakistan
by RFSID on February 11, 2016
When India gained independence from Britain in 1947, a new, predominantly Muslim nation of Pakistan was created during what was called the “partition.”
During this partition, about 15 million people were displaced and a million more died. The “hastily drawn” border by the departing British, which separated Pakistan from the mostly Hindu India, never fully resolved all the issues.
Several wars between the two nations ensued and tensions continue to this day. A floodlit, 1250-mile portion of the current international border (a.k.a. the Line of Control) is visible in a photo taken from the International Space Station.
Indian soldiers (in present day Bangladesh) during the third war between India and Pakistan in December 1971.
The continuing rivalry between India and Pakistan has spilled over into cyberspace, very visibly with hacktivism. This post reviews that activity and demonstrates how high-profile events and anniversaries (e.g., Indian Independence Day on August 15, Pakistan’s Independence Day on August 14, the Mumbai attacks on November 26, and even cricket matches between the two countries) often coincide with increased cyber activity.
The Cyber Dimension to India and Pakistan’s Cricket Rivalry
An India versus Pakistan cricket match, in March 14, results in an Indian university website being hacked.
The game of cricket provides a perfect field for a great rivalry between India and Pakistan. Wins and losses have geopolitical, social, and cyber repercussions on both sides. Conversely, geopolitical and social tensions have led to matches being postponed or cancelled.
On March 2, 2014, Pakistan defeated India in a cricket match in the Asia Cup held in Dhaka, Bangladesh. The next day (March 3), in Meerut, India, 67 Kashmiri students at Swami Vivekanand Subharti University were suspended for having cheered for Pakistan and distributing sweets after their win.
Then on March 5, 2014, the website of Swami Vivekanand Subharti University was hacked by a group claiming to be the Pakistan Cyber Army (a.k.a. Bangladesh Cyber Army) in response to expelling pro-Pakistan students.
Finally, on March 7, 2014 the sedition charges against expelled students are dropped but they could still face prosecution over the incident.
Based on this past event, it’s likely that cyber activity will take place between Indian and Pakistani actors before, during, and after the next cricket match between India and Pakistan on March 19 in Dharamsala, India.
A Predictable Pattern on Independence Days
India and Pakistan’s independence days, which fall on August 15 and August 14 respectively, create a predictable pattern (at least over the past three years) of attacks and retaliatory strikes by the opposing hacker groups, as shown in the timeline below. An uptick in such activity before and after this year’s independence days shouldn’t come as a surprise.
Pakistan Cyber Army Targeting India: A Snapshot 2007 Onward
Let’s take a closer look at the activities of the Pakistan Cyber Army (PCA), which was involved in the cricket incident described earlier.
The timeline below shows that the PCA has been consistently active at least since the 2007 hacking, defacing and shutting down high-profile Indian websites. Government and private sites have been targeted including Indian Oil and Natural Gas Corporation (a Fortune 500 company), Indian Railways, the Central Bureau of Investigation, Central Bank of India, and the State Government of Kerala.
The PCA’s “public announcement” of its operations against India and the PCA’s motives are described in a document on Pastebin as shown in the image below, conveniently cached in Recorded Future. This particular message is related to PCA’s attacks to commemorate Pakistan’s independence day (August 14).
When we investigate the PCA’s TTPs (tactics, techniques, and procedures) to learn how they operate, we find examples like tutorials on how to set up phishing attacks as shown in this Facebook post. Though of course it’s hard to establish, this is indeed a PCA actor who posted this:
Below is another example where SQL injection attacks are allegedly used by Pakistani hackers to compromise Indian websites.
In their research into PCA’s activities, ThreatConnect and FireEye also reported finding possible links to personas with skills in exploiting Web applications and services, identifying zero-day vulnerabilities, SQL injection, WEP cracking, and spear phishing.
In some instances the hackers chose to identify themselves — for example, the hacker behind India’s Kerala state website defacement in September 2015 identified himself as “Faisal 1337” as shown in the image below.
If we widen our view again and look at hackers from Pakistan and India targeting each other over the last seven months, we can see an interesting retaliatory pattern of attacks; the latest major response being Indian hackers avenging the deadly January 2, 2016 attack on the Indian Air Force base in Pathankot.
There are a number of hacker groups in India including the Indian Black Hats who reportedly claimed responsibility for the January 7 (timeline image above) revenge for the attack on Pathankot, and the Mallu Cyber Soldiers who were said to avenge the attacks on the Kerala state government website.
When looking at hacking methods used by these groups, given that they go after weakly secured websites or those with unpatched vulnerabilities, one can expect to find generally applicable instructions and techniques used and shared by various groups, especially when they self-identify themselves under the broad umbrella of “India hackers.” The methods used by these groups include SQL injection and PHP Web application hacks as shown by the mentions below.
The Pastebin references mentions a tool “D3LT4” to scan websites for SQL injection vulnerabilities, and further references to PHP scripts which can be used to hack Web applications.
The glimpses above hint at the many possible motivations and objectives of the cyber activities between India and Pakistan.
These could range all the way from loosely affiliated hacktivist groups avenging attacks by defacing symbols and institutions to more coordinated state-sponsored attacks, which will be covered in a future piece. The Line of Control (a.k.a. international border) between the two only serves as a symbol of adversarial tension and certainly not a barrier in the cyber realm.