Exclusive: India and Pakistan hit by spy malware – cybersecurity firm

FILE PHOTO: A Symantec security app is seen on a phone in this illustration photo taken May 23, 2017. REUTERS/Thomas White/Illustration/File Photo

By Rahul Bhatia

MUMBAI (Reuters) – Symantec Corp, a digital security company, says it has identified a sustained cyber spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues.

In a threat intelligence report that was sent to clients in July, Symantec said the online espionage effort dated back to October 2016.

The campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state, according to the threat report, which was reviewed by Reuters. It did not name a state.

The detailed report on the cyber spying comes at a time of heightened tensions in the region.

India’s military has raised operational readiness along its border with China following a face-off in Bhutan near their disputed frontier, while Indo-Pakistan tensions are also simmering over the disputed Kashmir region.

A spokesman for Symantec said the company does not comment publicly on the malware analysis, investigations and incident response services it provides clients.

Symantec did not identify the likely sponsor of the attack. But it said that governments and militaries with operations in South Asia and interests in regional security issues would likely be at risk from the malware. The malware utilizes the so-called “Ehdoor” backdoor to access files on computers.

“There was a similar campaign that targeted Qatar using programs called Spynote and Revokery,” said a security expert, who requested anonymity. “They were backdoors just like Ehdoor, which is a targeted effort for South Asia.”

CLICKBAIT

To install the malware, Symantec found, the attackers used decoy documents related to security issues in South Asia. The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.

The malware allows spies to upload and download files, carry out processes, log keystrokes, identify the target’s location, steal personal data, and take screenshots, Symantec said, adding that the malware was also being used to target Android devices.

In response to frequent cyber-security incidents, India in February established a center to help companies and individuals detect and remove malware. The center is operated by the Indian Computer Emergency Response Team (CERT-In).

Gulshan Rai, the director general of CERT-In, declined to comment specifically on the attack cited in the Symantec report, but added: “We took prompt action when we discovered a backdoor last October after a group in Singapore alerted us.” He did not elaborate.

Symantec’s report said an investigation into the backdoor showed that it was constantly being modified to provide “additional capabilities” for spying operations.

A senior official with Pakistan’s Federal Investigation Agency said it had not received any reports of malware incidents from government information technology departments. He asked not to be named due to the sensitivity of the matter.

A spokesman for FireEye, another cybersecurity company, said that based on an initial review of the malware, it had concluded that an internet protocol address in Pakistan had submitted the malware to a testing service. The spokesman requested anonymity, citing company policy.

Another FireEye official said the attack reported by Symantec was not surprising.

“South Asia is a hotbed of geopolitical tensions, and wherever we find heightened tensions we expect to see elevated levels of cyber espionage activity,” said Tim Wellsmore, FireEye’s director of threat intelligence for the Asia Pacific region.

The Symantec report said the ‘Ehdoor’ backdoor was initially used in late 2016 to target government, military and military-affiliated targets in the Middle East and elsewhere.

(Reporting by Rahul Bhatia. Additional reporting by Jeremy Wagstaff in Singapore.; Editing by Euan Rocha and Philip McClellan)

White House, intel chiefs want to make digital spying law permanent

Director of National Intelligence Daniel Coats (2nd-R) testifies as he appears alongside acting FBI Director Andrew McCabe (L), Deputy Attorney General Rod Rosenstein (2nd-L) and National Security Agency Director Michael Rogers (R) at a Senate Intelligence Committee hearing on the Foreign Intelligence Surveillance Act (FISA) in Washington, U.S., June 7, 2017. REUTERS/Kevin Lamarque

By Dustin Volz

WASHINGTON (Reuters) – The White House and U.S. intelligence chiefs Wednesday backed making permanent a law that allows for the collection of digital communications of foreigners overseas, escalating a fight in Congress over privacy and security.

The law, enshrined in Section 702 of the Foreign Intelligence Surveillance Act, is due to expire on December 31 unless Congress votes to reauthorize it, but is considered vital by U.S. intelligence agencies.

Privacy advocates have criticized the law though for allowing the incidental collection of data belonging to millions of Americans without a search warrant.

The push to make the law permanent may lead to a contentious debate over renewal of Section 702 in Congress, where lawmakers in both parties are deeply divided over whether to adopt transparency and oversight reforms.

“We cannot allow adversaries abroad to cloak themselves in the legal protections we extend to Americans,” White House Homeland Security Adviser Tom Bossert wrote in an editorial published in the New York Times newspaper on Wednesday.

U.S. Director of National Intelligence Dan Coats, speaking on behalf of other intelligence agency leaders, also told the Senate Intelligence Committee panel on Wednesday that the statute should be made permanent, saying it was necessary to keep the United States safe from national security threats.

NSA Director Rogers added that the law had been vital to preventing terrorism in allied countries as well.

Fourteen Republican senators, including every Republican member of the Senate intelligence panel, introduced a bill on Tuesday that would make part of Section 702 permanent.

The statute, which grants the National Security Agency a considerable freedom in the collection of foreigners’ digital communications, normally comes with a “sunset” clause, meaning that roughly every five years lawmakers need to reconsider its impact on privacy and civil liberties.

‘SPY ON AMERICANS’

Intelligence Director Coats said it was not feasible for the NSA to provide an estimate of the number of Americans whose communications are ensnared incidentally under Section 702.

Coats and other officials had previously told Congress they would attempt to share an estimate publicly before the statute expires. A frustrated Democratic Senator Ron Wyden, who has asked for such an estimate for several years, said Coats “went back on a pledge.”

Privacy advocates criticized the push to make Section 702 permanent, arguing that regular reviews of the law were necessary to conduct appropriate oversight and prevent potential abuses.

“After months of criticizing the government for allegedly spying on his presidential campaign, President Trump is now hypocritically endorsing a bill that would make permanent the NSA authority that is used to spy on Americans without a warrant,” said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union.

Disclosures by former NSA contractor Edward Snowden in 2013 revealed the sweeping nature of 702 surveillance, prompting outrage internationally and embarrassing some U.S. technology firms shown to be involved in a program known as Prism.

Last week, Facebook <FB.O>, Amazon <AMZN.O>, Alphabet Inc’s Google <GOOGL.O> sent a letter to Congress urging lawmakers to adopt several reforms to the law, including codifying the recent termination of a type of NSA surveillance that collected Americans’ communications with someone living overseas that merely mentioned a foreign intelligence target.

Making the law permanent without changes would preclude codifying that change.

Reuters reported in March that the Trump administration supported renewal of Section 702 without any changes, citing an unnamed White House official, but it was not clear at the time whether it wanted the law made permanent.

(This version of the story corrects paragraph 14 to add dropped words “embarrassing some U.S. technology firms involved in”)

(Reporting by Dustin Volz; Editing by Alden Bentley and Paul Simao)