Recently, Pakistan hackers allegedly targeted government and energy organizations in India, although some compromised entities were also located in Afghanistan.  The attackers used a newly-developed remote access Trojan dubbed “ReverseRAT” that featured diverse functionality to include sophisticated evasion techniques to avoid detection and obfuscate attacker presence on compromised machines.  Operational infrastructure located in Pakistan and Indian-specific targets that included two power transmission organizations and one transmission organization contributed to the suspicions that Pakistani actors were involved. ReverseRAT capabilities suggest a cyber espionage focus, as many of the functions associated with the tool involve collecting information on compromised machines and networks.  Once obtained, such access could allow for additional exploitation (e.g., data theft) or be used to facilitate disruptive attacks, depending on the intent of the attacker.

If Pakistani actors were involved, it would not be a surprise given the long-standing animosities between India and Pakistan, which have spilled over into cyberspace. Both governments have some level of offensive cyber capability that they apply against each other for the purposes of intelligence collection in the attempt to bolster decision-making advantage.  Cyber excursions between the two have been ongoing, and have ranged from nuisance style attacks that disrupt web pages to more stealthy attacks that have emerged seeking to exploit networks for higher gains.  There have been incidents of Pakistan advanced persistent threat (APT) activity targeting Indian military organizations since at least 2016.  Similarly, Indian cyber espionage operations

have targeted Pakistan targets of interest to include but not limited to government, military, and election entities.  Indeed, despite taking a backseat to some of the more formidable cyber powers whose activities garner international attention, India and Pakistan clearly recognize the reach and formidability that the exploitation of cyber assets of intelligence value can yield.

The targeting of India’s energy entities comes at a curious time given the recent attacks that have been levied against critical infrastructure targets worldwide. Once viewed as a taboo target, critical infrastructures have suddenly become vogue  – with both state and non-state actors going after these prized targets that support civilian needs. For example, Iran and Israel have an ongoing cyber conflict in which critical infrastructures have been targeted, and a recent alert by the Department of Homeland Security reveals the extent of Chinese network exploitation of U.S. pipelines over a two-year period. 

Ostensibly, while network exploitation of critical infrastructure could be used for intelligence collection purposes (e.g., business process, configuration, etc.), any access obtained and maintained could be used for more nefarious purposes.  Cyber attacks have been used by states to express geopolitical frustration against other states, such as the ones that targeted the beginning of the 2020 Tokyo Olympics and the distributed denial-of-service (DDoS) attacks against the U.S. financial sector. Given the deep-rooted enmity between India and Pakistan, a logical inference would be that such access could be used for disruption should the political climate between New Delhi and Islamabad continue to deteriorate.

Further raising eyebrows regarding the recent targeting of Indian energy organizations is reporting of China and Pakistan cyber collusion.  In 2020, a Pakistani cyber campaign dubbed “Operation SideCopy” targeted Indian critical infrastructure for the purposes of obtaining “strategic data.” What’s more, according to one source, this activity may have been done with China’s help, or at least, supervision.  Aside from Pakistan, China is a prime cyber antagonist for India.  In 2021, Chinese state-sponsored cyber operations dubbed “RedEcho” targeted ten Indian entities involved in power generation, transmission, and distribution, four-out-of-five of  which were India’s Regional Load Dispatch Centers, entities responsible for operating India’s power grid. While there is not enough information to link Pakistan’s ReverseRAT activity with Operation SideCopy or RedEcho, it does call into question the extent of China’s involvement in Pakistan’s current and future offensive cyber operations against India.  China has been suspected of executing a cyber attack that caused a power outage in Mumbai mid-October 2020, which if true, would substantiate worries that such “cyber espionage” may be about more than collecting information.  If China-Pakistan collusion is ongoing, any future Pakistani cyber activity against Indian energy targets will inevitably raise the question if it’s truly Pakistani in origin, or if Islamabad is being used wittingly or unwittingly as a cutout.  This would certainly reduce China’s digital footprint (and increase its plausible deniability), while still reaping the benefits of any successful compromise.

However, perhaps the biggest concern is how “lesser” government cyber powers are actively targeting the civilian critical infrastructures of their adversaries.  In June 2021, the International Institute for Strategic Studies (IISS) published a report that assessed nation state cyber capabilities and national power. In it, India ranked as a third-tier country and Pakistan did not even make the list of 15 countries. While an informative study, the list underrepresented states’ abilities to obtain capability to conduct significant offensive cyber operations against targets of interest. When it comes to critical infrastructures that are known to be hindered by legacy systems and suffer from the convergence of enterprise and operational technologies, even a limited cyber capability executed by lesser states can reap substantial rewards.  This threat is magnified when the states in question have long standing animosity between them and clash where their circles of interest intersect.

I an environment where Internet governance is light, cyber norms of state behavior remain elusive, cyber treaties are non-existent, and international cooperation against cyber malfeasance is still in an infant stage, even the least capable states can begin to achieve parity in this domain.  Compromising and maintaining access to critical infrastructures is proving to be an easy way for any state – regardless of its cyber power – to cause disruption at the time of its choosing.  Ultimately, these campaigns themselves are perfectly positioned to be used during times of geopolitical discontent but short of armed conflict.  Such attacks on critical infrastructure can cause temporary disturbances that send a message without crossing a line but are otherwise recoverable.  And because there have been no adequate responses against offending states for their activities against critical infrastructures, they remain viable targets. The result is that cyber attacks threaten to become increasingly more commonplace, a dangerous turn of events.  This is an unfortunate development in a domain where governments continue to flounder for cyber norm consensus, relying on their citizens to “accept” the realities that they can do little to protect their interests from hostile actors, regardless of if they are state-driven or cyber criminals. 

Worse is the complacency that this instills in the populace.  But such complacency may be what states really want anyway, as then they can focus on improving their offensive capabilities without feeling the need or responsibility to dedicate some attention to improving their defenses.  National strategies and pronouncements of increased public-private partnerships are frequent government drum beats that are played after any major cyber attack, and that seem to temporarily quell restlessness until the next event surfaces. India/Pakistan are the next duo willing to push this line of critical infrastructure targeting. Unfortunately, it is a line that continues to shrink, painting civilians into a corner from which they cannot escape.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast