Pakistan’s Inter-Services Intelligence (ISI) may have successfully penetrated the database of state-owned Bharat Sanchar Nigam Ltd (BSNL) and also installed spyware in the telco’s systems, India’s interior ministry fears, according to documents reviewed by Mint.
Posing as Major Vijay from Indian Army headquarters, Pakistani intelligence officers had called up a BSNL employee in February this year, and followed it up by email communication with the staffer to obtain critical information. The home ministry is of the view that this email communication led to the ISI successfully installing malware on BSNL’s networks, and this may have “contaminated the telco’s computer systems and compromised the integrity and security of the system”.
The home ministry is worried that the spyware may enable Pakistan’s ISI to “identify and access communication links of sensitive organizations”, making the latter vulnerable to cyber attacks.
The documents show that the home ministry also fears that the alleged spyware will enable Pakistan to remotely monitor BSNL’s networks and operations, providing the ISI with the capability of disabling critical networks.
India’s Intelligence Bureau (IB) referred to this incident in a 22 July note. The incident itself took place on 19 February and IB briefed the Prime Minister’s Office, the cabinet secretary, the ministries of home, telecom and IT and external affairs as well as the country’s elite external intelligence agency, the Research and Analysis Wing (RAW), of this development on 25 February.
The mode of operation was as follows. ISI spoofed a landline number (011-23016782) so that the call would appear to originate from Indian Army HQ in Delhi, and called up a BSNL executive on his mobile phone.
Posing as Major Vijay, the ISI officer claimed that the Indian Army was unable to access BSNL’s subscriber base from its website, and also sent the BSNL employee a “test mail” on his Gmail address. The BSNL employee replied to this email by sending three online links, believing that he was helping the Army. The ISI officers then got back claiming they were unable to open the links. Besides, they (ISI) sent some links to the BSNL employee who opened the same on his computer thus enabling the Pakistani agency to allegedly install the malware in the state-owned telco’s systems. The BSNL employee also offered to forward the telephone numbers of technical staff handling its call data records project in Chandigarh, Hyderabad, Pune and Kolkata.
IB briefed BSNL’s chairman and managing director Rakesh Upadhyay on this incident and asked the telco to identify and remove the alleged spyware from its systems, in addition to asking the company to initiate action against the employee.
The BSNL CMD didn’t respond to calls.
To be sure, this is IB’s version of events. Mint couldn’t independently confirm any of the details, including the claim that the call came from ISI.
BSNL’s networks are of strategic importance to India. The state-owned entity is building an alternative communication network for the armed forces, the completion of which will result in the Army, Air Force and Navy vacating additional spectrum for commercial mobile telephony, and routing their communications through this wireline system.
BSNL and Mahanagar Telephone Nigam Ltd (MTNL) are also operating and maintaining the secure network that they are currently building to link all government departments in the country. This network, which will connect about 5,000 government departments when completed, is aimed at ensuring confidentiality of all official communication. Besides, BSNL’s networks also link the servers of private mobile phone companies to the upcoming Centralized Monitoring System (CMS), a surveillance platform that will enable the government to monitor all forms of communication from emails to online activity to phone calls, text messages and faxes among others.
Experts see the breach as yet another incident of social engineering posing a threat to corporations and sensitive data.
“Social engineering techniques allow a lot of access if an employee is not made aware and trained to screen calls and handle sensitive data properly. Hackers have been able to get blueprints and sensitive data successfully through social engineering, which is made easier nowadays with people not caring about their privacy and personal data available in the public domain in social media sites,” said Shree Parthasarathy, executive director, enterprise risk services, Deloitte.
“Another challenge is the classification of data. If there was a standard process then I’m sure the breach would have been caught. It’s relatively easy to solve but poses a major threat at the present time.”
Shauvik Ghosh in New Delhi contributed to this story.