How a Word File Can Take Down a Government

Tales from the Encrypted

How a Word File Can Take Down a Government

Twenty years ago, Will Smith and Jeff Goldblum saved the planet from imminent destruction by uploading malware onto an alien mother ship using an Apple PowerBook. To do this, they commandeered a scout ship that had crashed in the middle of the Nevada desert and flew out into space, to interface with its systems in order to take control and blow it up. Compared to this drudgery, today they could have probably sent the aliens an email with malware as an attachment, and their work would be done.

What, you ask, is a malware? In the world of nefarious software programmes, “malware” is an umbrella term for malicious software, written with the intent of causing varying degrees of harm to the host’s computer or mobile device. Malware sometimes exists as standalone software – occasionally masquerading as programmes that make dubious claims promising to make your computer faster, or give you free unlimited access to your favourite TV shows, or exist surreptitiously within seemingly harmless files.

Late last year, researchers at Palo Alto Networks identified an attack on the Indian embassy in Kabul. An email attachment sent directly to the Indian ambassador contained hidden malware. This could have allowed the attacker to compromise the targeted user’s system by not only accessing all its data, but also recording audio and pictures using OpenCV, a popular software library, that was also used on NASA’s Mars Rover.

The Indian government itself has been no stranger to ridicule because of its antiquated approach to web and technology. A cursory visit to a government website, picked at random, is like time travelling to the late 1990s, complete with scrolling text and flashy animated GIFs. In the past two years, some of the administration’s various master strokes have included banning, (a critical everyday repository for software developers), and the popular video streaming site as a response to content allegedly posted by jihadist groups. More recently, the home minister quoted a parody Twitter account of terror mastermind Hafiz Saeed as a genuine source during a press conference. While these relatively benign gaffes have received widespread ribbing and choreographed facepalms, relatively serious lapses like spyware intrusions have gone largely unnoticed.

Given the pace of day-to-day activities at government-run offices, it’s entirely possible that the malware process only managed to capture a glimpse of several spontaneous tea breaks at the embassy. However, it’s equally likely that it could have captured several coordinated efforts by the ambassador’s office to bring stability to the Afghanistan region. A suicide attack in 2008 on the Indian embassy in Kabul resulted in 58 deaths and over 150 serious injuries. A security breach of this nature could have led to leaks that may have compromised military operations and the safety of all involved.

A lunatic with a sense of humour similar to my own could have made spooky noises through the laptop’s speakers, or alternatively, if he wanted to get everyone in on the joke, could have edited the ambassador’s documents to replace random sentences in official correspondence with lines from a Tarantino movie.

More troublesome, however, is the relative simplicity of the means by which an attacker can access a top government official’s system. In this case, the offending attachment was an .RTF (Rich Text File) document, which is typically opened by Microsoft Word (part of the Microsoft Office suite of programmes) if it has been installed. Older versions of Microsoft Office suffered from a specific vulnerability that allowed a specifically crafted RTF file to crash the programme that opened it, and in the process, install malware that runs in the background on the system. Versions of Microsoft Office since 2010 have fixed this.

In other words, a high-ranking Indian diplomat may have his system infected by malware because his office downloaded an attachment from an unknown sender and didn’t update Microsoft Office. Were the circumstances not so sensitive, this might actually be funny. The malware could have enabled the attacker to execute specific commands on the system including, but not limited to, recording keystrokes, taking a screenshot of the display, recording audio and photos, and copying various files from the laptop’s disk drive and any USB drive that had been plugged in. These commands would relay their content back to a server owned by the attacker.

Now this malware happened to be a spyware with info-stealing abilities, but it could just as easily have been a more complicated beast with infinitely more nuisance potential. The point is that once access is possible, anything can be affected. For a moment, let’s try to imagine what the attacker could do with this kind of access and control if he had been successful. A lunatic with a sense of humour similar to my own could have made spooky noises through the laptop’s speakers, or alternatively, if he wanted to get everyone in on the joke, could have edited the ambassador’s documents to replace random sentences in official correspondence with lines from a Tarantino movie. Alternatively, if he was done with the monotony of daily existence, he could have sent declarations of war to the ambassador’s counterpart in the Afghan government.

The military and diplomatic arms of the government have been victims of several such infiltration attempts, some of which were successful. Last month, researchers at Palo Alto Networks made progress in their investigations into “ProjectM” – the codename assigned to these targeted attacks, by identifying the link between the group and a suspected individual from Karachi, who may have played a role in the distribution or setting up of infrastructure to enable these attacks.

Investigators were able to obtain an email address and other personal information of the individual involved due to an oversight on his part. He left his contact details publicly available on one of the domains that were used in the spread of malware. This led the investigators to his blogs, websites, YouTube channel, Facebook, LinkedIn, and other social accounts, all of which were used to create a profile and track down the suspect, who appears to be a freelance web designer by profession, though arguably not a very good one.

Attacks of this kind are relatively unsophisticated in nature, on account of the vulnerabilities that they rely on, in order to infiltrate the target’s systems. The key, really, is that the targeted systems need not be using versions of Microsoft Office that are out of date and unpatched, to the extent that a simple RTF file attachment, if opened, can potentially reveal state secrets to even an amateur web designer in Karachi, let alone an espionage operation run by a foreign government.

Incidents of this scale and magnitude make you wonder about the overall cyberattack preparedness of the country, particularly that of government systems and those that store confidential information. Last year, Telecom and IT Minister Ravi Shankar Prasad revealed that close to 10,000 websites had been compromised by cyberattacks. Last month, The Global Cyber Vulnerability Report, a book co-authored by VS Subrahmanian, an Indian-American professor at the University of Maryland, named India, China, and Saudi Arabia along with 44 other nations that are the most ill-prepared for large scale cyberattacks.

Given the government’s push toward Digital India, coupled with the unsophisticated nature of these attacks, one cannot help but be disturbed by all of this.

You never know who will strike next.

This post is sponsored by Palo Alto Networks.