This seems to have gone unnoticed, so I am placeholding it here. A small ideological disclaimer: I do not *hate* Pakistan like many right-wingers do. In fact, I long visiting Lahore some day and sample its street food. Nonetheless, this is an interesting public exposure to the tradecraft – if it could be called so – of an adversarial army.
In March this year, Amnesty International released a dossier (PDF) on the intimidation and spying of human rights activists based in Pakistan, allegedly by the country’s own army operatives. Apart from the usual scare tactics, the operatives also engaged in social engineering and cyber espionage. Android and Windows based malware were used for the purpose.
The operating model was hybrid: customised variants of COTS malware developed by a local contractor shop, and all of it being coordinated via a team of army officers.
The setup looks ragtag and low-end.
One of the C&C servers associated with the operation was misconfigured, publicly listing all the files present in a specific folder. A particular file “zahidskills.docx” contained some interesting titbits. It detailed the daily responsibilities of a member – someone by the name of Zahid Rasheed – of “Team Cyber Security” .
We scan network on daily basis to check open port or any outbound connection into our network, then we communicate with twitter and FB team captains for any new Anti Army or Fake accounts of COAS/DG ISPR. Check DG’s Facebook page security and Past 24 hour activity. We are working on different target accounts to trace their IP Addresses or to compromise their accounts. We check different new site to see if there are any Anti Army content on it, so we try to take them down or at least trace the administrator. Increasing likes/ followers and viral content on SM-Team request. We Scan ISPR/PakArmy Website on Weekly basis to find vulnerabilities or any type of errors. Explore and test new exploits on cyber security and to stay up to date with latest techniques.
For the uninitiated, COAS stands for the Chief of Army Staff. ISPR or Inter Services Public Relations, meant to be the Pakistan Army’s public relations directorate, is actually its propaganda arm.
So, this sounds like a CERT gone rogue, meddling in operations and intelligence. There is a noted political emphasis on keeping the top echelon happy – this unit is conscious of its direct access to the COAS’s office.
Its mandate is really confusing: some ad-hoc tasks around security administration, counterintelligence, OSINT and even cyber offense. This really violates all the tried and tested OPSEC best practices, eventually leading to the unmasking of the team.
My experiential take is that OPSEC blunders happen when the mandate gets messed up – a natural fallout of focusing more on placating the bureaucracy than pursuing relevant imperatives. It is a cultural thing in South Asia. Anyone who has been exposed to a government cyber setup would understand what I mean.
Operational awareness and nuance percolate from the very top when it comes to cyber, so the generals appear technically clueless. Not to sound churlish, but this pattern is also mirrored in India.
A unified cyber component that pervades all the army’s hierarchies seems to be absent, too – despite its focus on net-centric warfare since the times of Azm-e-Nau. The unit, like most such ill-thought-out apparatuses, is plagued with a tactical vision. Compare this to the interdisciplinary synergy between the NSA and the US Cyber Command.
There is a growing concern on this side of the fence that the cyber capabilities of the Pakistan Army are more sophisticated than we imagine. This sneak peek may quell that for some time.
Yet, my assessment is not to be treated like the gospel truth. The Inter Services Intelligence, and the directorates of Military Operations, Signals Intelligence and Military Intelligence may very well have their own competent structures. So would the air force and the navy.
GravityRAT, a decently-sophisticated and evolved APT originating from the same country, is a case in point.