Why I should not be talking about an Indian cyber mercenary

Even ten years ago, as we bootstrapped cyber operations in the government, a subtle tension always brewed when it came to contractors.

I belonged to an archaic school of thought believing that such capabilities need to be internally fostered. As Dave Aitel rightly says: you build competencies [over generations] rather than tools.

But the one term that defines the Indian establishment is inertia. It seems that the contractors edged out the competition. Things work a little differently in Asia: it is more lucrative for mid-level bureaucrats to promote contractor shops than any long term, thankless commitment.

But let us understand how such an approach damages our national security.

Earlier in July, I wrote about an Indian cyber mercenary with persistently bad operational security (OPSEC) and a global compromise footprint.

Its toolchains have been consistently exposed since 2013 and various security companies have given them different monikers over the years: Operation Hangover by Norman/Shadowserver, Bahamut by Bellingcat, Monsoon by Forcepoint, Patchwork by Volexia (founded by an ex-Shadowserver analyst), Confucius (what a waste of name) and Urpage by Trend Micro, The Dropping Elephant or Chinastrats by Kaspersky, and Bitter by 360 Research.

It is probably the most compromised of threat actors ever. Analysts repeatedly highlight its extremely shoddy tradecraft.

It, however, seems to have evolved over the years. Recent reports by Talos and Cylance (which deems it as a ‘new’ nation-state APT) point towards its growing sophistication — manifesting as incremental parts and patches that do not add up as a whole (hence, the name Patchwork).

The actor now boasts of some zero-day tools and techniques — possibly acquired from the underground — hinting at its growing financial muscle.

It is what you get when you mix a toddler’s sketch-work with a Jackson Pollock painting — you feel dizzy just staring at it.

The targets of this APT remain varied and diverse, too: from civil society activists in the Middle East, terrorist organisations in Kashmir, think tanks in America, the armed forces of Pakistan, certain entities in China to even the  residents of India. They hint at a loose geopolitical affiliation — its imperatives are largely commercial.

I can also vouch for the fact that threat analysts have even narrowed down on the individuals behind the operation and their clientele: it is another matter that naming and shaming does not work to the industry’s advantage.

Here is a C-team whose code, toolchains, techniques, tradecraft, infrastructure, approach and philosophy carry the indelible DNA of the ecosystem from which it arose.

A friend in the government advised me not to talk about such things. But I think these C-teams, which are so exposed, operate in an environment whose physics is under the control of others: the A-teams. Every single move of theirs is watched.

If indeed this contractor shop has been hired by Indian agencies then all their operations have been compromised for long.

When the actor sells its wares to overseas clients with questionable credentials, the government invites tremendous geopolitical/reputational risk by mere association. It becomes the face of our cyber diplomacy.

It is seen that this contractor recycles much of its attack infrastructure across different campaigns — the lack of operational compartmentalisation may lead to direct domestic attribution which could be very embarrassing.

With no doctrine in place, we may be betting on third-parties for whom we have no protocols, operating procedures, rules of engagement and response guidelines.

Say, tomorrow, if the actor makes a grave operational error that ticks off a foreign government — are we then ready to handle its escalation dynamics?

Say, if Pakistan or China launch a full-scale cyber offensive in retaliation against such uncoordinated campaigns — who is going to take the responsibility of the fallout?

We live in times where cyberattacks — even those meant for espionage — are inviting unprecedented escalatory response.

What if the garb of plausible deniability that you think existed fails to protect you from direct exposure and attribution?

Something like this may have already happened. The cyber mercenary NSO Group has been implicated in the Khashoggi assassination, bringing the heat to Israel (whose export control law was bypassed by the NSO to strike this deal), Saudi Arabia and dozens of other governments which bought its wares.