"Cyber attacks are notoriously hard to attribute to a specific attacker, let alone state-sponsored ones. However, when such a cautionary message is issued – usually it is based on circumstantial evidence," cybersecurity expert Sandeep Shukla told The Quint, a week after Apple informed a swathe of leaders from various political parties that their iPhones may have been targeted by "state-sponsored attackers."
Congress MP Shashi Tharoor, TMC MP Mahua Moitra, SP leader Akhilesh Yadav, and AAP MP Raghav Chadha are just a few of the prominent Opposition leaders who claimed that they had received Apple's hacking threat alert on 31 October.
The timing of the alerts and the list of purported recipients have dredged up allegations of government surveillance using Pegasus – a sophisticated spyware tool that the Centre has not expressly denied purchasing.
In the days that followed, the Union Ministry of Electronics and Information Technology issued a notice to Apple and mobilised CERT-In (the government's nodal cybersecurity agency) to probe vulnerabilities in Apple products, according to The Indian Express.
Although a probe is underway, there are plenty of question marks around the hacking alerts. What would you look for in a device targeted by state-sponsored attackers? Is it possible to fix accountability? Why are state-backed actors more of a threat than others?
For these answers, The Quint spoke with Sandeep Shukla. He's a professor at the Indian Institute of Technology (IIT) Kanpur and was one of the two experts who appeared before the Supreme Court-appointed technical committee on Pegasus to share his expertise. Read what he had to say.
Apple Alerts: How To Detect a 'State-Sponsored Attack'? Cyber Expert Answers
1. Hard To Pin Down
Emphasising the difficulty in establishing a state-sponsored attack, Shukla said, "First of all, when one suspects that an attack or an attempted attack is from state-sponsored attackers, normally that judgement is never with 100 percent certainty."
However, he added, if you suddenly find that similar organisations with similar missions are being targeted around the same time, and the indicators of compromise are similar, then the organisation watching these (in this case Apple) could conclude that the attack might be purposeful and has a particular motivation.
Soon after news of the hacking threat alerts emerged, Union Minister of Electronics and IT Ashwini Vaishnaw went on the defensive and said that Apple's notifications were "vague" and "non-specific."
But experts have pointed out that the lack of details in a hacking threat notification is intentional as they could otherwise help the attackers evade future detection.
Threat-hunting teams try to balance what they share in warnings while not "burning" their investigative techniques, so they can keep tracking spyware groups, CitizenLab researcher John Scott-Railton said in a thread on X (formerly Twitter).
In a press conference, Vaishnaw had also highlighted how Apple's threat notification states that it could've been sent due to a false alarm. Though past instances indicate otherwise.
CitizenLab's Scott-Railton pointed out that similar alerts from Apple had led to the Canada-based watchdog group's discoveries of Pegasus hacking in countries like Thailand, Poland, El Salvador, Mexico, Armenia, and Russia.
Expand2. The Lookout Signs
Citing the Diamond Model of Intrusion Analysis, Shukla identified the following indicators to determine which nation-state the attackers might be working for:
Profile of the victims
Capability of the attackers
Infrastructure used by attackers such as vulnerability exploited, malware used, command-and-control servers used
IP addresses of the command and control connections made by the malware from the phone to servers
Attackers' modus operandi
Attackers' possible geographic location
"Also, other circumstantial evidence such as what vulnerability was exploited, what exploit was used to make the first access, time of the day when most of the victims were attacked, and few other aspects of the attack may give a clue," Shukla continued.
"If the network traffic from the device is monitored, or if the processes running in the device are observed closely, or if the in-memory processes are observed, or if the files recently created are observed – one could detect the indicators of compromise," the IIT Kanpur professor revealed.
Expand3. Not Your Usual Hobby Hacker
How are state-backed actors different from other hackers? What really sets them apart?
"The reason we distinguish these attackers from other attackers is because they have government sanctions and hence, they are highly resourced. They can purchase information about zero-day and/or zero-click vulnerabilities for millions of dollars or purchase tools from companies such as the NSO Group," Shukla told The Quint.
Zero-click attacks don't require the target to click on a link for the device to be hacked. For example, Google's Project Zero team had found that Pegasus was successfully deployed to a victim's device by simply sending a GIF through iMessage.
Zero-click attacks are largely feasible if the device has technical flaws that the developer has just discovered, giving them "zero-days" to address these issues. Such flaws are known as 'zero-day' vulnerabilities.
Offering a glimpse of the level of sophistication possessed by state-sponsored attackers, Shukla said that they obtain details of their targets (such as phone numbers and email addresses) from their financing governments or the dark web.
"They can establish command-and-control servers on the cloud, and quickly move their servers from one location to another to evade blocking. They can purchase or develop rootkits (malicious software tools that give a threat actor remote access to and over a system) and malware that evade detection by regular anti-virus."
Professor Sandeep Shukla on State-sponsored attackers"Nation-states usually fund a group of cyber-offensive experts to carry out such attacks for them. For example, APT 28 (fancy bear) is a group suspected to be funded by the Russian government, APT 36 is suspected to belong to the Pakistan government, and APT 37 seems to belong to North Korea," Shukla said.
He also revealed the common steps taken by Advanced Persistent Threat (APT) actors to launch a state-sponsored attack:
Reconnaissance
Weaponisation
Initial access
Execution
Persistence
Privilege escalation
Collection
Command-and-Control
Exfiltration
Impact
"Hobby hackers usually do not have this kind of systematic approach to attacking a target system," he added.
Attackers backed by nation-states tend to go after high-value targets such as government employees, defense leaders, political leaders, civil right leaders, journalists, and corporate leaders, according to Shukla.
Expand4. Who You Gonna Call?
Remotely, Apple may be able to analyse network connections or changed settings to alert users about the threat of spyware. But to find something conclusive, Shukla opined that the targeted device would have to be handed over to a cyber forensic team that possesses iOS forensic tools and know-how.
When asked if CERT-In was the right entity to probe such an attack, he argued that the "amended Information Technology Act of 2008, through section 70, sanctions the authority to CERT-In to investigate any cyber attack in the country. So, it is their jurisdiction to do it."
"However, if the suspicion is that the "state" here involves your country, then it has to be investigated by an independent body rather than an entity run by the same government. So it depends on what is meant by 'state-sponsored'," Shukla said.
Meanwhile, several Opposition MPs have called on the Parliamentary Standing Committee on Information Technology to take up the matter. In a letter addressed to the committee's chair, Rajya Sabha MP John Brittas said, "The gravity of the situation cannot be understated, as it not only raises concerns about the security of personal data but also the potential implications for national security."
Additionally, the CPI(M) leader from Kerala called for the committee's inquiry to cover the following aspects:
The nature and credibility of the security threat identified by Apple
The extent of vulnerability of Indian iPhone users to hacking attempts
The potential involvement of State-supported hackers and their motivations
The adequacy of cybersecurity measures in place to protect the privacy and security of Mobile Phone users in India
Expand5. Thwarting State-Sponsored Attacks
Beyond the traditional cyber-hygiene practices , Apple rolled out a feature called 'Lockdown Mode' last year in response to spyware like Pegasus and Hermit.
Going on Lockdown Mode means limiting a lot of prevalent functionalities in the usual iOS user experience. It blocks most types of message attachments on iMessage, and disables link previews. It also limits browsing, and blocks unknown requests on Apple services such as FaceTime.
So, how well does it work against suspected state-sponsored attacks?
"Lockdown Mode is an extreme state of the device where a lot of the activities you normally want to carry out with your phone cannot be done, unless you unlock it again. So, it will surely reduce the chances of data exfiltration from your phone or it will also reduce the chances of new infection," Shukla said.
But, according to the cybersecurity expert, the feature cannot be a permanent solution as it makes the device behave in a "primitive manner."
"If you have to do that, you might as well go back to a feature phone," he added.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)
Expand
Hard To Pin Down
Emphasising the difficulty in establishing a state-sponsored attack, Shukla said, "First of all, when one suspects that an attack or an attempted attack is from state-sponsored attackers, normally that judgement is never with 100 percent certainty."
However, he added, if you suddenly find that similar organisations with similar missions are being targeted around the same time, and the indicators of compromise are similar, then the organisation watching these (in this case Apple) could conclude that the attack might be purposeful and has a particular motivation.
Soon after news of the hacking threat alerts emerged, Union Minister of Electronics and IT Ashwini Vaishnaw went on the defensive and said that Apple's notifications were "vague" and "non-specific."
But experts have pointed out that the lack of details in a hacking threat notification is intentional as they could otherwise help the attackers evade future detection.
Threat-hunting teams try to balance what they share in warnings while not "burning" their investigative techniques, so they can keep tracking spyware groups, CitizenLab researcher John Scott-Railton said in a thread on X (formerly Twitter).
In a press conference, Vaishnaw had also highlighted how Apple's threat notification states that it could've been sent due to a false alarm. Though past instances indicate otherwise.
CitizenLab's Scott-Railton pointed out that similar alerts from Apple had led to the Canada-based watchdog group's discoveries of Pegasus hacking in countries like Thailand, Poland, El Salvador, Mexico, Armenia, and Russia.
The Lookout Signs
Citing the Diamond Model of Intrusion Analysis, Shukla identified the following indicators to determine which nation-state the attackers might be working for:
Profile of the victims
Capability of the attackers
Infrastructure used by attackers such as vulnerability exploited, malware used, command-and-control servers used
IP addresses of the command and control connections made by the malware from the phone to servers
Attackers' modus operandi
Attackers' possible geographic location
"Also, other circumstantial evidence such as what vulnerability was exploited, what exploit was used to make the first access, time of the day when most of the victims were attacked, and few other aspects of the attack may give a clue," Shukla continued.
"If the network traffic from the device is monitored, or if the processes running in the device are observed closely, or if the in-memory processes are observed, or if the files recently created are observed – one could detect the indicators of compromise," the IIT Kanpur professor revealed.
Not Your Usual Hobby Hacker
How are state-backed actors different from other hackers? What really sets them apart?
"The reason we distinguish these attackers from other attackers is because they have government sanctions and hence, they are highly resourced. They can purchase information about zero-day and/or zero-click vulnerabilities for millions of dollars or purchase tools from companies such as the NSO Group," Shukla told The Quint.
Zero-click attacks don't require the target to click on a link for the device to be hacked. For example, Google's Project Zero team had found that Pegasus was successfully deployed to a victim's device by simply sending a GIF through iMessage.
Zero-click attacks are largely feasible if the device has technical flaws that the developer has just discovered, giving them "zero-days" to address these issues. Such flaws are known as 'zero-day' vulnerabilities.
Offering a glimpse of the level of sophistication possessed by state-sponsored attackers, Shukla said that they obtain details of their targets (such as phone numbers and email addresses) from their financing governments or the dark web.
"They can establish command-and-control servers on the cloud, and quickly move their servers from one location to another to evade blocking. They can purchase or develop rootkits (malicious software tools that give a threat actor remote access to and over a system) and malware that evade detection by regular anti-virus."Professor Sandeep Shukla on State-sponsored attackers
"Nation-states usually fund a group of cyber-offensive experts to carry out such attacks for them. For example, APT 28 (fancy bear) is a group suspected to be funded by the Russian government, APT 36 is suspected to belong to the Pakistan government, and APT 37 seems to belong to North Korea," Shukla said.
He also revealed the common steps taken by Advanced Persistent Threat (APT) actors to launch a state-sponsored attack:
Reconnaissance
Weaponisation
Initial access
Execution
Persistence
Privilege escalation
Collection
Command-and-Control
Exfiltration
Impact
"Hobby hackers usually do not have this kind of systematic approach to attacking a target system," he added.
Attackers backed by nation-states tend to go after high-value targets such as government employees, defense leaders, political leaders, civil right leaders, journalists, and corporate leaders, according to Shukla.
Who You Gonna Call?
Remotely, Apple may be able to analyse network connections or changed settings to alert users about the threat of spyware. But to find something conclusive, Shukla opined that the targeted device would have to be handed over to a cyber forensic team that possesses iOS forensic tools and know-how.
When asked if CERT-In was the right entity to probe such an attack, he argued that the "amended Information Technology Act of 2008, through section 70, sanctions the authority to CERT-In to investigate any cyber attack in the country. So, it is their jurisdiction to do it."
"However, if the suspicion is that the "state" here involves your country, then it has to be investigated by an independent body rather than an entity run by the same government. So it depends on what is meant by 'state-sponsored'," Shukla said.
Meanwhile, several Opposition MPs have called on the Parliamentary Standing Committee on Information Technology to take up the matter. In a letter addressed to the committee's chair, Rajya Sabha MP John Brittas said, "The gravity of the situation cannot be understated, as it not only raises concerns about the security of personal data but also the potential implications for national security."
Additionally, the CPI(M) leader from Kerala called for the committee's inquiry to cover the following aspects:
The nature and credibility of the security threat identified by Apple
The extent of vulnerability of Indian iPhone users to hacking attempts
The potential involvement of State-supported hackers and their motivations
The adequacy of cybersecurity measures in place to protect the privacy and security of Mobile Phone users in India
Thwarting State-Sponsored Attacks
Beyond the traditional cyber-hygiene practices , Apple rolled out a feature called 'Lockdown Mode' last year in response to spyware like Pegasus and Hermit.
Going on Lockdown Mode means limiting a lot of prevalent functionalities in the usual iOS user experience. It blocks most types of message attachments on iMessage, and disables link previews. It also limits browsing, and blocks unknown requests on Apple services such as FaceTime.
So, how well does it work against suspected state-sponsored attacks?
"Lockdown Mode is an extreme state of the device where a lot of the activities you normally want to carry out with your phone cannot be done, unless you unlock it again. So, it will surely reduce the chances of data exfiltration from your phone or it will also reduce the chances of new infection," Shukla said.
But, according to the cybersecurity expert, the feature cannot be a permanent solution as it makes the device behave in a "primitive manner."
"If you have to do that, you might as well go back to a feature phone," he added.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)