Information Warfare: Children Of The Sun


March 30, 2021: An American Internet security company (Lookout Inc) recently revealed that a group of Indian hackers known as Confucius had carried out a hacking campaign against Pakistani military and nuclear program officials from sometime in 2017 until the end of 2020. The smartphones of victims were attacked with innocent looking apps containing malware called Sunbird that eventually gets user information (contact lists, geolocation history, email, texts and audio and video files) to servers that were known and not the kind normally used by hackers. The infected apps were often Android security or chat and dating apps designed for a Pakistani audience. While thousands of people downloaded the infected apps, fewer than 200 had the malware activated because those users were on a target list of people the hackers wanted to get data from. Confucius has been active for a long time and known for being especially careful about not being detected as they specialize in hacking organizations who employ lots of defenses against any kind of computer hacking.

The Confucius operation was discovered when some of the stolen data files were discovered before they would be deleted from the unsuspecting storage after Confucius came to get them. This enabled an Internet security firm to track down the infected apps and find out who the targets were. Meanwhile Sunbird is still out there and being improved.

It was also discovered that Sunbird was just an Indian version of a more widely used malware called Sunservice. The Confucius group also used a stealthier and less capable malware called Hornbill. This one only sent back chat data and used far less battery power than Sunbird. Hornbill was actually more widely used as a reconnaissance app, to discover which infected phones were being used by people in the Pakistani military or nuclear weapons programs. If they were not, Hornbill was ordered to erase itself and leave no trace of ever being on the phone. If the user was a target, Hornbill assisted in installing Sunbird before erasing itself. Sunbird took more hacker time and effort to install and operate on an infected phone. Sunbird uploaded a lot of data and this had to be done carefully lest it ran down the battery quickly enough for the user to notice and possibly have the phone checked. That would often reveal the presence of Sunbird.

The Confucius hack was not the only one carried out in this part of the world. In mid-2018 a group of Pakistani hackers, who specialize in surveillance software for parents to track their children (or a spouse) were hired by the Pakistani intelligence agency (ISI, or Inter Service Intelligence agency) to create spyware (Stealth Mango for Android and Tangelo for IOS) versions and then help distribute it (using Facebook Messenger) to some key government officials and civilians in Afghanistan, India, Iraq, Iran, the United Arab Emirates and Pakistan. This approach uses a lot of “social engineering” as the hackers must contact the target individuals and persuade them to download an app that pretends to be something other than spyware. Most targeted individuals were either not interested or didn’t trust the offer. The most secure (resistant to this spyware) cell phone was the iPhone and the spyware would only work on the small number of iPhones that that had been modified (“jailbroken”) to run apps that did not come from the Apple App Store. As usual, the Android phones were much more vulnerable. In any event, it appears that only about a dozen people were persuaded to install the app. That, it turned out, was enough key people to collect a lot of important data.

The Stealth Mango/Tangelo effort was another intelligence-gathering operation that, in this case, collected a lot of sensitive data about American and Australian military and diplomatic activities. Collecting and transmitting the data, without the phone owner being aware, was how Stealth Mango/Tangelo was discovered by an Australian Internet security company in early 2018. Stealth Mango/Tangelo needed a lot of permissions on the infected phone in order to work and mostly went after data (documents and photos) as well as messages, location and contact lists. At least 40 GB of material was stolen from the infected phones by the hackers before Google and Apple were informed and victims were notified and the spyware was disabled. Customers of Internet security firms were warned that apps like this will continue to be used. Actually, this sort of spyware has been around for quite a while and the latest ISI and Indian use of it was just another example. Over the next few years updated versions of Stealth Mango kept showing up, being used against a new group of victims.

Internet hacking operations are not unusual for the ISI as Pakistan and India have been using the Internet to spy on each other for decades. Even before the Internet became widely available in the late 1990s, there was an ongoing "war" between Indian and Pakistani hackers. Most of this has been little more than vandalism (defacing web pages and the like), but there have been some more serious hacks. 

Another fun fact is that Pakistan has always had the largest software developer and hacker community of any Moslem country. India developed a larger software development industry because, like Pakistan, most of the software specialists knew English. Early on Pakistan developed a large, and growing, software development industry of its own. In fact, the first known computer virus, the "Brain Virus" was written by Pakistani programmers in the late 1980s. "Brain" was created to help protect software a Pakistani firm had created and was selling, from pirating (illegal copies). But, instead, the Brain virus got out of control, and the rest is history. Pakistan has a lot of homegrown talent for their computer crime operations, and the ISI, to recruit from.

Most Pakistani programmers want to make an honest living with their skills. Despite that, hacking got so bad in Pakistan that in 2008 the government enacted the "Prevention of Electronic Crimes" law. In addition to explicitly describing various Internet-based crimes, and declaring them criminal acts, it also defined cyberterrorism and the penalties for Internet terrorists. If someone causes the death of another because of cyberterrorism, the maximum punishment is execution. But the law only applies to those hacking Pakistanis. While ISI saw this hacking as a problem, it was also an opportunity when used to go after real or imagined enemies. Here Pakistan would follow the example of their Chinese patrons.

As more Internet users moved to smartphones so did the hackers. Smartphone users were even more valuable, and vulnerable than users of desktop and laptop computers. In that respect, the Pakistani and Indian hacks of each other’s smartphone users was not unique.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contribute. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   contribute   Close