Lords of Dharmaraja

Last updated

Lords of Dharmaraja is the name of a hacker group, allegedly operating in India. [1] In 2012 the group threatened to release the source code of Symantec's product Norton Antivirus, and for allegations on Government of India "arm-twisting" international mobile manufacturers to spy on United States-China Economic and Security Review Commission(USCC). Symantec has confirmed that the Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 version source code has been compromised and obtained by the group, while United States authorities are still investigating allegations suspecting India's hand in spying. [2] [3]

Contents

The group is alleged to have hacked and posted a threat by uploading the secret documents, memos, and source code of Symantec's product on Pastebin - a website for source code snippets upload by several users, for public viewing. [4] The group, it seems, has uploaded some secret documents, revealing Indian government arm-twisting international mobile manufacturers like RIM, Apple, and Nokia to assist in spying USCC. [5] In addition to these, the group seems to have claimed in discovering source code related to dozen software companies, which have signed agreements with the Indian TANCS programme and CBI. [6]

After the hacker's posted their threats, Christopher Soghojan, a security and privacy researcher in USA, tweeted: "Hackers leak Indian Military Intel memo suggesting Apple has provided intercept backdoor to govs". He also provided the links to the gallery of images and documents. The documents appear to be related to Tactical Network for Cellular Surveillance (TANCS), technical agreement with mobile manufacturers, and email communication stuff associated with members of USCC. [7]

Their claims

As reported in The Times of India, in 2012 the group posted a statement on Pastebin website saying, "As of now, we start sharing with all our brothers and followers information from the Indian Military Intelligence servers, so far, we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI." [8]

The group also said, "Now we release confidential documentation we encountered of Symantec corporation and it's Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies." [9]

When a correspondent of The Times of India tried to reach an alleged member of the Lords of Dharamraja with the name "YamaTough," he did not reply. YamaTough also has a Twitter account; [10] wherein, he described himself as an "anonymous [avenger] of Indian independence frontier." [11]

Allegations

Cyber spying

As reported in The Times of India article, based on uploaded secret memos dated October 6, 2011, international mobile manufacturers like RIM, Apple, and Nokia along with domestic Micromax have given "backdoor access" for digital surveillance to Indian military intelligence officials in exchange for doing business in Indian market. In the memo, a decision was also made to sign an agreement with mobile manufacturers in exchange for "business presence" in the Indian market because military intelligence has no access to United States Chamber of Commerce's LAN due to VPN and communication gateways like POP servers, etc. The memos further reveal that this "backdoor" was allegedly used by Indian intelligence to spy on USCC. [12]

As reported in Rediff.com article based on leaked documents, Indian Army's intelligence arm Military intelligence along with Central Bureau of Investigation(CBI) were performing bilateral cellular and Internet surveillance operations right from April 2011. Later, in July 2011, during a meeting of the sub-committee of Military Intelligence, a detailed Cyber Defence Plan for 2011 was prepared and subsequently Military intelligence-Central Bureau of Investigation "joint operations" are being conducted daily. [13]

Another article on The Register based on uploaded documents says, "CYCADA" data intercept team are in operation on the networks using backdoors provided by mobile manufacturers. It also says that the leaked memos elicit conversations between members of USCC on currency issues and discussions on the western firms actions in assisting Chinese aircraft industry to improve its "avionics" and engine manufacturing too. [14]

As reported by the news agency Reuters, USCC officials have asked the "concerned authorities to investigate the matter" and didn't dispute the authenticity of intercepted mails pointing the "backdoor channel" as evident in the leaked documents. [15] Also reported on Hindustan Times, Jonathan Weston, a spokesman for USCC, said "We are aware of these reports and have contacted relevant authorities to investigate the matter." Apparently, US authorities are investigating the allegations pointing Indian government's spy-unit hacking into emails of US official panel - that monitors economic and security relations between United States and China. [3]

Mobile manufacturer officials, more or less, refused to comment on the issue, when The Times of India contacted the relevant spokesmen or authorities. Alan Hely, a senior director of Corporate Communications at Apple Inc., refused to comment on the leaked documents, but he denied any backdoor access been provided. RIM too, refused to comment on the leaked memos as rumors or speculations, when The Register contacted them; besides, RIM countered them saying, "it does not do deals with specific countries and has no ability to provide its customer's encryption keys." [16] A spokesman for Nokia was quoted as saying, "The company takes the privacy of customers and their data seriously and is committed to comply with all applicable data protection and privacy laws." [17]

Speaking to Rediff.com on phone, Indian Army denied the reports of spying on USCC through mobile companies; however, military spokesman said that the uploaded documents were in fact forged with malicious intent. [18]

Symantec's Anti-virus source code

The hacker's group threatened to publish the entire source code of Norton Antivirus, a Symantec's product, allegedly stolen after the group has discovered it, while hacking the servers associated with India's Military Intelligence. To add weight to its threats, the group posted some of the hacked source code to Pastebin.

Imperva, a data security company, commented on the hacker group's claims and threats as that would potentially be an embarrassment on Symantec's part. Rob Rachwald from Imperva speculated that the hacker group might have retrieved the files as because the files probably resided on a "test server" or were posted to FTP; consequently, exposing them mistakenly and became public unintentionally through negligence. He further said that, "governments do require source code of vendor products to prove that product is not spyware". [19]

Symantec initially, tried to douse the fears saying that the documentation and preview code is nothing special; accordingly, Chris Paden from Symantec said that the published data and documents are no more than Symantec's API documentation which every software vendor, including Symantec will share with any client, including governments. Eventually, Symantec has confirmed that the source code of Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 has been compromised to the hacker group. [20] [21]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Gen Digital</span> Multinational software company

Gen Digital Inc. is a multinational software company co-headquartered in Tempe, Arizona and Prague, Czech Republic. The company provides cybersecurity software and services. Gen is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore. Its portfolio includes Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

A dropper is a Trojan horse that has been designed to install malware onto a computer. The malware within the dropper can be packaged to evade detection by antivirus software. Alternatively, the dropper may download malware to the target computer once activated.

<span class="mw-page-title-main">Avast</span> Czech security software company

Avast Software s.r.o. is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic, that researches and develops computer security software, machine learning, and artificial intelligence. Avast has more than 435 million monthly active users and the second largest market share among anti-malware application vendors worldwide as of April 2020. The company has approximately 1,700 employees across its 25 offices worldwide. In July 2021, NortonLifeLock, an American cybersecurity company, announced that it was in talks to merge with Avast Software. In August 2021, Avast's board of directors agreed to an offer of US$8 billion.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey. Under the brand Sectigo, the company acts as a web Certificate authority (CA) and issues SSL/TLS certificates.

<span class="mw-page-title-main">National Technical Research Organisation</span> Technical intelligence agency of India

The National Technical Research Organisation (NTRO) is a technical intelligence agency of India. It was set up in 2004. The agency reports to the National Security Advisor and to the Prime Minister's Office. NTRO also comprises the National Critical Information Infrastructure Protection Centre and the National Institute of Cryptology Research and Development.

<span class="mw-page-title-main">Symantec Endpoint Protection</span> Computer security software

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software;, but a 2011 report concluded that additional measures on top of antivirus software were needed.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

<span class="mw-page-title-main">FinFisher</span> Surveillance software

FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels.

WikiLeaks began publishing emails leaked from strategic intelligence company Stratfor on 27 February 2012 under the title Global Intelligence Files. By July 2014, WikiLeaks had published 5,543,061 Stratfor emails. Wikileaks partnered with more than 25 world media organisations, including Rolling Stone, L’Espresso and The Hindu to analyse the documents.

<span class="mw-page-title-main">ANT catalog</span> Classified catalog of hacking tools by the NSA

The ANT catalog is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine Der Spiegel in December 2013. Forty-nine catalog pages with pictures, diagrams and descriptions of espionage devices and spying software were published. The items are available to the Tailored Access Operations unit and are mostly targeted at products from US companies such as Apple, Cisco and Dell. The source is believed to be someone different than Edward Snowden, who is largely responsible for the global surveillance disclosures during the 2010s. Companies whose products could be compromised have denied any collaboration with the NSA in developing these capabilities. In 2014, a project was started to implement the capabilities from the ANT catalog as open-source hardware and software.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

Norton, formerly known as Norton by Symantec, is a brand of Gen Digital co-headquartered in Tempe, Arizona and Prague, Czech Republic. Norton originally provided utility software for DOS, and currently offers a variety of products and services related to digital security, identity protection, and online privacy and utilities.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

Hardware backdoors are backdoors in hardware, such as code inside hardware or firmware of computer chips. The backdoors may be directly implemented as hardware Trojans in the integrated circuit.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

References

  1. Hackers in India Leak Symantec Source Code
  2. SECTION - Update:
  3. 1 2 US suspects India hand behind email hacking Archived 2012-01-13 at the Wayback Machine
  4. The hackers, operating under the name "The Lords of Dharmaraja", dumped some of the documentation in a Pastebin
  5. Rediff.com Hackers claim India spied on US Congress body; Army denies it
  6. In addition to the Symantec data, the group claimed to have discovered “source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI
  7. Christopher Soghoian, a security and privacy researcher in the US, tweeted:
  8. TOI News the group said in a statement posted on a website called Pastebin
  9. "Hackers in India Leak Symantec Source Code". Tomshardware.co.uk. 2012-01-06. Retrieved 2012-02-11.
  10. Twitter.com - LoD - @YamaTough Mumbai - Lords of Dharmaraja -Anonymous Avengers of Indian Independence Frontier
  11. TOI News TOI tried to reach YamaTough
  12. The memo revealed that the "backdoor" was allegedly used by Indian intelligence to spy on officials of United States-China Economic and Security Review Commission (USCC).
  13. Rediff.com 'Military Intelligence and the CBI have been conducting bilateral cellular and Internet surveillance operations since April 2011
  14. Discussions on the actions of Western firms helping the Chinese aircraft industry improve its avionics and engine manufacturing
  15. USCC officials on Monday told Reuters that the organization has "contacted relevant authorities to investigate the matter"
  16. Apple, RIM deny claims of data backdoor for Indian government
  17. TOI News RIM refused to comment on the matter
  18. Hackers claim India spied on US Congress body; Army denies it
  19. Security firm Imperva commented on the group's claims, noting that Indian group's actions are an embarrassment on Symantec's part
  20. Symantec has confirmed that the source code for Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 has been obtained by the group
  21. Rediff.com Symantec confirmed the break-in, but said the initial documents pertain to April 1999 and are no longer relevant for its current systems
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.