Tamil Nadu Ransomware Attack Raises Resiliency QuestionsSecurity Experts on Vulnerabilities, Prevention Steps for State Governments
The recent ransomware attack on the Tamil Nadu government's Public Department systems puts the spotlight on the preparedness of state governments in India to identify and stave off ransomware attacks.
Security experts share with Information Security Media Group what makes IT systems in state government institutions vulnerable to targeted attacks and how future attacks can be prevented.
The Tamil Nadu Ransomware Attack
The Tamil Nadu state government's Public Department was the victim of a ransomware attack on Sept. 18-19, Neeraj Mittal, principal secretary at the state's IT department, confirmed to news agency IANS on the first day of the attack.
The state's Public Department appoints ministers, executes protocol for VIP and VVIP visits and liaises with the Ministry of External Affairs and foreign consulates.
According to Mittal, the Indian Computer Emergency Response Team, or CERT-In, and the Center of Development for Advanced Computing, or C-DAC, were investigating the incident and helping the government regain access to the systems.
CERT-In and C-DAC did not respond to Information Security Media Group's request for information on whether the systems had been restored yet, what the attack vectors were, the identity of the attackers, what their demands were and the extent of the damage.
The unidentified perpetrators demanded a ransom of $1,950 in cryptocurrency for the encryption code, according to a report by newspaper The Hindu, which cited unidentified sources.
Prakash LR, senior director of the C-DAC in Chennai, tells ISMG that the attackers most likely targeted office documents, text files and spreadsheets containing personally identifiable information instead of operating system files, as the latter could be retrieved through backups and therefore, may not be used to earn a ransom.
Analyzing Cyber Resiliency
The Tamil Nadu ransomware incident brings up questions about the cyber resiliency of government-run systems: How well can state IT departments defend themselves against targeted attacks, what are the vulnerabilities and how can future cyberattacks be prevented?
Some security and cyber law experts who have worked with IT departments of state governments in India tell ISMG that outdated IT infrastructure, unpatched systems running old versions of software, ineffective security audits and lack of cyber laws and penalties make these entities vulnerable to ransomware incidents.
According to J Prasanna, the CEO of CySecurity, which was formerly the Cyber Security and Privacy Foundation, most Windows systems used by state government departments are unpatched and their web servers are not adequately protected.
Prasanna has worked as a consultant with state governments in Tamil Nadu, Karnataka and Andhra Pradesh in the past.
A 2020 Statista report shows that spam and phishing emails were the cause of 54% of all ransomware infections globally. Prasanna says the trend is no different in India.
State governments, he says, fail to identify phishing emails and fake apps. Deploying anti-phishing solutions, automated vulnerability monitoring software and dark web monitoring software will go a long way in addressing the issue, he says.
"Presently, you can create a Tamil Nadu state government fake app because the government does not have a solution to monitor and take down fake apps," Prasanna notes.
Akash Kundu, founder and CEO of cybersecurity firm Vulhunt and a cybersecurity consultant at the Central Bureau of Investigation Academy, concurs with Prasanna's view on dated servers.
Kundu says many government departments use outdated versions of servers, such as Apache 2.4.6, and the out-of-date version of Phusion Passenger, 5.2.10. He did not disclose the identities of the departments or the states to which they belong.
A recent security assessment of Bengaluru City Police illustrates how dated servers and old software versions leave systems prone to malicious exploits. Ironically, Bengaluru is known as the "Silicon Valley" or the "IT capital" of India.
The findings highlighted in red show that the server used by the police department is vulnerable to breach attacks, Kundu says. The hypertext preprocessor - better known as PHP - has vulnerabilities in remote admin access, and this could lead to user information being harvested, he adds.
Kundu also says that GeekLog, the open-source application used to manage the police department's web portal, contains an SQL vulnerability that could allow a threat actor to remotely reset the admin password.
He has reported his findings to the National Critical Information Infrastructure Protection Center, or NCIIPC, he tells ISMG.
Bureaucracy also has a part to play in compromising systems, Prasanna says.
"CEOs and managing directors want admin-level access on desktop systems. As a result, [if their access is compromised] the ransomware also gets the same level of access," he says.
Although security vendors offer endpoint detection and response solutions to tackle these situations, Prasanna says the cost and complexity of deployment are high.
Kundu's findings are similar to those of Ram Movva, co-founder and chairman of Cyber Security Works.
An earlier security assessment of the Tamil Nadu state government's IT system showed vulnerabilities that could be exploited by WannaCry ransomware, with over 80 assets vulnerable to remote code execution, Movva tells The New Indian Express.
Ineffective Cyber Laws and Security Audits
There are currently no penalties imposed on government institutions for not having adequate security measures, Prashant Mali, an expert in cybersecurity, cyber law and privacy, tells ISMG.
"The Tamil Nadu government provides governance paid for with taxpayers' money. There should be a law that addresses a scenario in which the government fails to take proper security measures," he says.
While banking and financial institutions in India are mandated by the Reserve Bank of India to report cyber incidents, there's no such requirement for government entities.
According to Prasanna, there are guidelines available for vulnerability assessments, and CERT-In empaneled audits are carried out at regular intervals. But most executives view these guidelines and audits merely as items to be ticked off a checklist, leading to false positives and putting systems at risk, he says.
"I've seen audits in which a Windows server is being audited, but the report documents it as a Linux server. The people conducting these audits are not as tech-savvy as experts from a FireEye or an RSA," he tells ISMG.
State governments, he says, should not be solely responsible for conducting IT assessments. Auditors too must look closely at how state government bodies implement IT policies, what antivirus software they use, and whether they have web application firewalls protecting portals.
In 2013, the central government released a National Cyber Security Policy to counter security threats. Eight years later, Kundu says he sees limited implementation of the strategies detailed in the policy.
What Can State Governments Do?
Ransomware attacks don't just capitalize on vulnerabilities - they requires some form of social engineering, and that's why cybersecurity sensitization of employees is key, Prasanna says.
"User training is of utmost importance, as employees must be able to identify files that are prone to contain malicious malware, such as .exe files," he says.
State IT departments must also have a robust cybersecurity architecture in place, Prakash of C-DAC, tells ISMG.
"The government-run Information Security Education and Awareness program focuses on educating common users on cyber hygiene and ways to prevent getting compromised. Government organizations must draw advantage from these awareness programs," he says.
Kundu says implementing continuous testing, patching vulnerabilities within a given timeline and building effective logging and monitoring capabilities can help maintain cybersecurity. State governments, he adds, must also work closely with CERT-in, the NCIIPC and other cybersecurity departments for best results.
"There is an urgent need to synergize the effort of experts working under separate government ministries, departments and private sectors," he adds.
Ransomware attacks on state governments are not new in the country.
In October 2016, the Kerala State Forest Department was the victim of a ransomware attack that resulted in the government body having to forgo attempts to access the data.
A year later, the WannaCry ransomware attack affected the IT systems of state governments in Gujarat, Odisha, West Bengal, Andhra Pradesh, Kerala, Tamil Nadu and New Delhi.
In 2018, hackers targeted the Karnataka state government's Bhoomi software and were able to alter land records by attacking the web server, showing the impact cyberattacks can have on state governments.