Government and telecom entities in China and Pakistan were targeted as part of cyberespionage campaign led by the Indian government according to a report by Forbes. The campaign using zero day vulnerabilities sold to it by Exodus Intelligence, a zero day exploit broker, based in Austin Texas, ran from June 2020 to April 2021 following which Exodus says it ‘cut off’ India from buying its zero day exploit research.
Zero day exploit brokers are companies that sell information about crucial software vulnerabilities and software which could exploit them. In this case, Exodus told Forbes, it provided India with information about the vulnerability which was later adapted and exploited by an Indian government official or contractor.
The development comes amidst calls for a moratorium on spyware applications, after a consortium of international news organisations published a revelatory series of stories in July on the use of the NSO-group made Pegasus spyware to spy on opposition leaders, activists, journalists, and others by multiple governments. While the software may not have been a spyware, whistleblower Snowden had said in an interview that the consortium’s findings illustrated how commercial malware or malicious software had made it possible for repressive regimes to place vastly more people under the most invasive types of surveillance. According to the report, in this case, the exploit allowed deep access into Microsoft PCs to the attackers for nearly a year.
What did India do?
- According to the report,the campaign targeted Microsoft PCs in government and telecom units in China and Pakistan
- Along with the espionage campaign, Exodus suspects that India exposed some of its research. The company as part of its contract, forbids customers from making its zero days research public. However according to Kaspersky, Dark Hotel, a South Korea-backed hacker group, has used one of Exodus’ zero day research even though South Korea was not a customer of Exodus.
- Exodus also suspects that India used another vulnerability that allowed a hacker to get ‘higher privileges’ on a Windows computer. However this is speculation as researchers at Kaspersky, who first discovered the campaign, could not find specific instances of its use in a cyberespionage campaign.
What should be the norms regarding usage of such zero day exploits by countries? Do leave a comment
Why was India cut off?
After researchers at Cybersecurity firm Kasperksy discovered the campaign earlier this year, Exodus also conducted its own investigation into India’s use of its research, confirming Kaspersky’s findings. Around April 2021, India was cut off from using Exodus’ products and the latter also informed Microsoft about the vulnerability, working with it to patch it.
While the company doesn’t usually limit a clients’ usage of its research, it took an exception to India’s usage. “You can use it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and China. I don’t want any part of that,” Lucas Browne Exoducs CEO and co-founder is quoted saying in the report. The company also suspects that India leaked its research to South Korea,“We are pretty sure India leaked some of our research,” Browne is quoted saying, “We cut them off and haven’t heard anything since then . . . so the assumption is that we were correct.”
MediaNama has reached out to Microsoft for comment on the matter and will update the story as and when they respond.
What is Exodus: the company behind the vulnerability
According to the report, Exodus also provides information on zero days to the U.S., U.K., Canada, Australia, and New Zealand and their allies, as part of the Five Eyes intelligence alliance. Previously, the company had been in the news for providing the french police with a tool to hack the Tor Browser to identify and catch child sexual abusers. However this tool, a hack discovered by Exodus, was leaked.
The company also provides a ‘news feed’ like product which gives information on zero day vulnerabilities, without the software to exploit them, for up to $2,50,000 a year which is what it believes India bought.
International dialogue around malicious software
- Last week, EU Commissioner Didier Reynders reiterated the need to fully investigate the Pegasus scandal at the start of a debate in the European parliament.
- In July, US, UK, EU and allies released a joint statement accusing China of carrying out malicious cyber activities and has urged Chinese authorities to address the situation. That month, WhatsApp’s chief executive officer Will Cathcart also urged governments to step in and impose a complete moratorium on the spyware industry in an interview with The Guardian.
- In October 2020, the US State Department released due diligence guidelines for American companies exporting products, including surveillance software abroad.
- Report alleges phishing attempts by Pakistan-linked group on Indian PSUs
- How the US is overhauling its cybersecurity policies
- After Paris, RSF may file lawsuits against NSO Group in multiple countries