With a significant spike in ransomware attacks, hackers are targeting companies of all sizes and sectors.
Image: Shutterstock O
n March 2, the Mumbai-headquartered Sun Pharmaceuticals reported that a security breach had taken place with its IT assets. On March 26, the company said its revenue is expected to decline as operations have been affected due to the attack.
If cybersecurity breaches can pull down India’s largest drugmaker, you could be next in line.
While Indian companies are riding the wave of rapid digitisation, the threat landscape is also expanding at an equally fast clip. India ranks third globally and first in the Asia-Pacific region in the list of 111 countries affected by the world-wide activity of scam groups distributing info-stealing malware, according to research by Group-IB, a Singapore-based cybersecurity firm. Another report by cybersecurity firm Palo Alto Networks points out that India is the second-most targeted country in the Asia Pacific and Japan region after Australia.
A study by Check Point Research, an American-Israeli cyber threat intelligence analyst, an organisation in India was attacked 1,866 times per week on an average in 2022, with the healthcare sector facing the maximum number of attacks.
Cyberattacks have surged over the years because they have become a successful financial model, explains Dmitry Volkov, CEO and co-founder of Group-IB. “We see the threat actors evolving continuously every year. The number of cybercriminals who manage this ransomware activity and affiliate programmes continues to grow. That's why, because of high competition, they're always trying to learn new ways to earn money from new regions. The whole ecosystem of threat actors continues to develop. They don't rely on one single group, they attack simultaneously, on multiple companies.”
With a significant spike in ransomware attacks, hackers are targeting companies of all sizes and sectors. These attacks typically involve encrypting a company’s data and holding it hostage until the company pays a ransom to the attackers. Like it happened with Sun Pharma. “The incident’s effect on the IT systems includes a breach of certain file systems and the theft of certain company data and personal data,” it said in a filing with the stock exchanges. It further added that a ransomware group has claimed responsibility for the incident, and that the company has taken “steps to contain and remediate the impact of the IT security incident, including employing containment and eradication protocols to mitigate the threat and additional measures to ensure the integrity of its systems infrastructure and data.”
According to a news report by The Cyber Express, the ALPHV ransomware group has claimed responsibility for the attack on Sun Pharma, stating that they have accessed over 17 Terabytes (TB) of data from the company. This includes sensitive information on customers and vendors and complete documents on over 1,500 US employees. ALPHV, also known as BlackCat, is a ransomware group that operates as Ransomware-as-a-Service (RaaS). In the past, the group has targeted many large and small enterprises. Also read: How should regulators policy cyber insurance for Indian businesses?
Why is India vulnerable?
India is still lagging in terms of having a robust cybersecurity system. Both businesses and government organisations are either spending less on cybersecurity or not overseeing the damage a cyberwarfare can cause. Rising geopolitical concerns are already triggering an increase in politically-drive attacks targeting military secrets, infrastructure, or fomenting disinformation and propaganda campaigns.
There is still a lot of resistance when it comes to adopting newer technologies. The level of attacks have attained a level of sophistication unmatched by legacy technology. “You cannot fight a war where the attack is coming from a tank and you are shooting bows and arrows. You have to upgrade your defence and offence systems to be able to protect yourselves,” says Harshil Doshi, director sales (India and SAARC) of Securonix, a Texas-based organisation that utilises machine learning and artificial intelligence to detect advanced threats.
The enterprises are still struggling to go beyond signature-based detections on their anti-virus, firewalls and proxy. Whenever any big organisation is targeted, it makes headlines for a few weeks before the buzz dies down. No one knows what happened next—if the company was penalised, if there was an audit or any post-facto resolution. “We literally have to use this tool called ‘fear’ to convince our customers saying, ‘If you don't use this, you will be attacked’. We don't want fear to be the trigger for the organisations to take the next step, we want farsightedness. Unless there is an attack that has a far-fetching consequence, nobody is going to even care,” adds Doshi.
The regulatory landscape is quite weak in India. If there is a cyberattack or data breach, there aren’t any significant fines or disincentives for the companies to invest more in cybersecurity, explains Yash Kadakia, founder of Security Brigade, an information technology security solutions provider.
For instance, take Europe’s General Data Protection Regulation (GDPR), the toughest privacy and security law in the world that mandates a huge financial impact for data loss. “There are high fines and such a high brand impact that you have a genuine disincentive. So the GDPR is so stringent that it is important for the organisations to ensure they don’t get hacked. If you can get hacked, it is going to be a giant financial hit, and most likely going to result in closure of business. That's how large the fines are in many cases,” says Kadakia.
The severity of data theft has reached to a level that it has become a double-edged sword, Kadakia further says. The cybersecurity providers are noticing a pattern wherein the attackers steal data of a company and put it on the dark net, a part of the internet that isn't visible to search engines and requires the use of an anonymising browser called Tor to be accessed. Before anyone else purchases it, the company asks these cybersecurity providers to buy their own data before others can lay their hands on it. This has evolved into a business, where if the hackers notice the demand is increasing, they will be motivated to steal more data.
These cyberattacks have not only tormented businesses, but also government organisations, and individuals in nearly every sector. With ransomware tools easily available at nominal rates, things have become easier for these threat actors. Even with moderate technical skills, hackers can launch attacks that can cost companies millions.
On November 23, the All India Institute of Medical Sciences (AIIMS), New Delhi, faced a cyberattack, paralysing its servers. A case of extortion and cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police on November 25. As many as five servers of AIIMS Delhi were impacted in the incident and 1.3 TB of data encrypted by the hackers.
On February 10, Minister of State for Electronics and Information and Technology Rajeev Chandrasekhar disclosed the findings of a technical analysis into the AIIMS Delhi cyberattack in the Parliament. Chandrasekhar said the attacks were the handiwork of unknown threat actors and caused due to improper network segmentation.
In a written reply to the Parliament, he said the Indian Computer Emergency Response Team (CERT-In) evaluated the incident but noted that AIIMS servers were managed by them only. “As per preliminary analysis, servers were compromised in the information technology network of AIIMS by unknown threat actors due to improper network segmentation, which caused operational disruption due to non-functionality of critical applications.”
Chandrasekhar also informed the Parliament on the same day that India witnessed 13.91 lakh cybersecurity incidents in 2022, down from 14.02 lakh in 2021. But Royal Hansen, Google’s vice president of engineering for privacy, safety and security, pegs the number to be way higher, at 18 million cyberattacks and 2 lakh threats per day in the first quarter of 2022 itself. He mentioned the numbers while addressing the ‘Safer With Google’ event last year on August 25.
A report on ‘Hi-tech crime trends 2022/2023’ by Group-IB revealed that the networks belonging to seven Indian State Load Dispatch Centers (SLDCs) that conduct real-time operations for grid control and electricity dispatch had been attacked. All seven SLDCs are located near the India-China border in Ladakh. The attacks involved a Trojan called ShadowPad, which is thought to have links to contractors serving China’s Ministry of State Security (MSS). “Because the targeting was prolonged, it was most likely part of a mission to gather information about critical infrastructure rather than seeking immediate benefits. Such information could later be used to gain access across a system and carry out disruptive activities,” the report stated.
In India, more research is needed on cybersecurity, says Brijesh Singh, additional director general for police in Maharashtra, who has also led the implementation of the Maharashtra Cyber Project. “Even geopolitically, our institutions should do more R&D, create more cybersecurity products and patents, which we are not doing at the moment. The government departments have a greater responsibility and liability because they’re handling public data. Apart from that, governance is a matter of trust and these data breaches affect that,” says Singh who also thinks there is a need for a strong cybersecurity framework from the government. “It is also about how you mitigate the risk. Better use of encryption, proper backups, and regular cyber hygiene needs to be done.” Also read: Cybersecurity awareness, education dismal in Indian boardrooms
The Legal Framework
There is no dedicated law on cybersecurity in India, and there are no legal frameworks to deal with the rising challenges of cyberattacks. In India, the Information Technology Act, which came into effect in 2000, contains the cyber laws. But the cyberspace has evolved way faster than legal and the current laws can’t keep pace with its different aspects and nuances.
Jurisdiction in emerging technologies such as artificial intelligence (AI), cryptocurrency, ChatGPT, internet of things (IoT) are the grey areas that are yet to be regulated. Tech giants have come up with these technologies at such a speed that, while people have recently shifted from physical currency to digital payments, they are already using and relying on AI for most of their work, explains advocate Liza Vanjani who practices at the Gujarat High Court and also works as a legal freelancer at Forensic Cybertech, a consulting firm. To deal with the international cybercrimes, trans-border communication can be done with the help of MLAT (Mutual Legal Assistance Treat), treaties, conventions or letter rogatory signed between the countries.
“The Proposed Digital India Act (DIA), 2023, by the ministry of electronics and information technology (MeitY) highlights the need for global standard cyber laws which would cover the Digital Personal Data Protection Act, DIA Rules, IPC Amendments for Cybercrimes and National Data Governance Policy. The need for the Safe Harbour Principle for Intermediaries remains a question mark in DIA,” says Vanjani. Also read: Seven challenges against securing the systemic cyberspace in the industrial IoT age
As the adoption of technology is increasing by the day, the frequency and severity of cyberattacks will also grow. What can organisations do? First, say experts Forbes India spoke to, the companies should stay updated about recent cyberattacks to understand the tools used during an attack and how the attackers operate. All threat actors must be prioritised.
Threat intelligence has existed for many years, but the companies don’t use this knowledge, says Volkov of Group-IB. He adds that there is lack of human resources. “If you talk about knowledge, you must have at least a few people in the company who will be able to convert knowledge in some actions to protect the organisation. Post the pandemic, a lot of people are working remotely. And these are very easy to compromise. Another very important thing is ‘passwords’. It all starts from there, using the same passwords for different logins can be an easy target for the attackers. Even if you use two-factor authentication, it is still possible to bypass it. So resusing and having the same passwords should be avoided,” he says.
According to Maheswaran Shamugasundaram, country manager of Varonis India, a New York-based all-in-one cybersecurity platform, organisations should monitor users and data to predict the breaches in advance. It all begins from hackers stealing the user credentials to get into the system and access files to encrypt and exfiltrate the data. Users accessing file types that they have never accessed before and logging in from a geography that they have never accessed before are some indicators that organisations can detect and predict to contain that behaviour.
“As consultants, when we perform these assessments to understand gaps that exist in an organisation's cybersecurity framework, we notice the lack of adequate investments around users and data. Second, most organisations have these awareness campaigns. But sending those phishing emails might not be enough because the attackers now personalise and craft these emails according to user behaviour and preferences. Organisations need to remain a step ahead and develop a more robust mechanism from stopping the employees to fall prey to these emails,” says Maheswaran.
Huzefa Motiwala, director, systems engineering, India and SAARC, at Palo Alto Networks suggests implementing a zero-trust initiative, which is a strategic approach to cybersecurity by eliminating implicit trust and continuously validating every stage of a digital interaction. “Organisations need to relook at the way they are currently treating their confidential data. With the Data Protection Act expected to come in soon, it will drive a lot of urgency in terms of how the organisation is storing the data, for how long they should be storing it and so on. CERT-In is also driving a lot of emphasis on how long the enterprise should be keeping their logs and data and how they should be handling the breach and more. But we need all hands on the deck, all cybersecurity companies need to get that awareness going. Cybersecurity should not be an afterthought. It should be bolt-on into your business practices,” says Motiwala.
Gautam Mengle, a senior journalist with Mid-Day
who has been tracking cybersecurity in India from seven years, says that, at present, there are over 100 crore data points—names, emails, passwords, contact numbers, addresses and photographs—hacked from Indian devices that are free-floating on the internet for anyone to use as per their nefarious requirements. “With IoT becoming stronger and more widely used every day, hackers will have an increasing number of devices at their disposal and hence, an increasing number of ways in which they can wreak havoc. Choosing proactivity over reactivity is the only way forward,” suggests Mengle.
As most research reports point out challenging times for India on the cybersecurity front, it will be crucial for the organisations and authorities to step up and bring these recurring attacks under control. However, Kadakia of Security Brigade says that from his almost two decades of experience so far, India is making progress. “The fact that you're hearing about all these companies getting hacked now is a progress. The breaches are coming out, people are learning about them and this is going to hold those companies more accountable, and they're going to invest more in security and we'll start seeing this problem solved.”