On November 17, 2008 the web site of the Oil and Gas Regulatory Authority of Pakistan (OGRA), www.ogra.org.pk, was defaced by an Indian defacement group called Hindu Militant Group (HMG). By November 24, 2008 a Pakistani defacement group called Pakistan Cyber Army (PCA) formed and responsed to the defacement and defaced the web site of India’s Oil and Natural Gas Corporation Ltd. (ONGC), www.ongcindia.com.
One thing that grabbed my attention was an email reportedly sent by the PCA that refers to the specificity and intentionality of the attack unlike standard defacement “wars” that prey on websites vulnerable to publicly known exploits:
“HMG hacked our oil and gas website.. that was a random act… Our attack was planned, and dedicated to their OIL AND GAS website which makes sense plus it shows we Pakistanis can do it.”
Rather than deface some random .pk (although they did deface several others sites too) they retaliated by defacing the .in equivalent of the site the HMG defaced. To me this indicates skill above the scriptkiddie level.
Moreover, they claim:
“These defacement’s were not dedicated for the fame of our group name PCA. Pakistan Cyber Army this group name was created right 5 minutes before we defaced these websites. This means we don’t have any intention to spread our names nor we need to show our skill levels.”
They are self-proclaimed “whitehats” whose motivation appears to be revenge and nationalism. For me, it is a case that stands out from the typical defacement-wars that periodically erupt. However, I’ve now found that www.ongcindia.com was defaced by WFD in 2002. It Looks like the site has a history of poor security. It could be less a case of the skillfulness of the attackers than one of timing.
One of the things I’ve noticed in the coverage of these defacements is that the defacements by two separate Pakistani groups the PCA and ZombiE_KsA are being merged together. In addition, some of the defaced sites were re-defacements and others were re-defaced by Indian hackers with messages to the administrators of those sites indicating a history of indifference to basic security practices.
For example, www.ctram.indianrail.gov.in was defaced in March (2008/03/26) and it appears that the most recent defacement exploited the same vulnerability (the scrolling text in “external.asp”). aponline.gov.in was another redefacement, this site was also defaced on 2006/03/21.
The sites that were re-defaced by HMG contained text asking the administrators of those sites to patch the vulnerabilities:
My dear Site owner pls fix ur flaws…ur site was hacked by pakistani hackers, now ur site is in our Indian Hackers control…pls fix ur voluns immediately contact us email@example.com
Here is a list of the sites:
http://www.ongcindia.com/ – PCA,
http://www.jslinc.com/ – PCA
http://www.syscontech.in/ – PCA, , Re-Defaced
http://www.kvrtm.org.in/ – PCA, , Re-Defaced
http://www.iirs.gov.in/ – PCA, , Re-Defaced
http://www.ctram.indianrail.gov.in/ – PCA
http://www.aponline.gov.in/ – ZombiE_KsA
http://www.cidap.gov.in/ – ZombiE_KsA
http://www.bankofbaroda.com/ – ZombiE_KsA
http://zeetvusa.com/ – ZombiE_KsA
http://www.andhrahackers.com/ – ZombiE_KsA
http://gad.ap.gov.in/ – ZombiE_KsA
I framed these defacements as a “flare-up” because there have been ongoing defacements. For example, ZombiE_KsA defaced Indian sites, loyola.edu.in, on 2008/10/02 and zeetvusa.com on 2008/10/14. Some of these attacks preceded HMG’s November 17, 2008 defacement of www.ogra.org.pk and contained inflammatory language such as “India Sucks buhuahahahahaha” and insults directory toward Gandhi.
2008/11/28 ZombiE_KsA zeesports.us
2008/11/25 ZombiE_KsA aponline.gov.in
2008/11/25 ZombiE_KsA cidap.gov.in
2008/11/24 ZombiE_KsA gad.ap.gov.in
2008/11/21 ZombiE_KsA bankofbaroda.com
2008/11/07 ZombiE_KsA lawyersclubindia.com
2008/10/14 ZombiE_KsA zeetvusa.com
zone-h has 203 archived defacements of gov.pk sites and 319 archived defacement of gov.in sites. Many appear to be unrelated to politics or an India-Pakistan rivalry but they do indicate that it is not uncommon for government sites to be defaced — even by scriptkiddies.
In the end, cooler heads prevailved and the groups involved in the latest flare up negotiated a truce:
PCA (Pakistan Cyber Army) and Zombie_ksa (pakbugs crew) comes into friendly terms with ICW (Indian Cyber Warriors, HMG). After a meeting, all of the three groups agreed not to deface each other’s websites. It all happened when people from these groups realized that there is no use of such defacement and they should be instead involved in constructive work.
In the past Indian and Pakistani groups also negotiated a truce:
Previously, both countries remained in state of cyber war during 1997 to 2002. From Pakistan’s side the war was fought by Dr. Nuker, the founder of PHC “Pakistan Hackers Club” and MFRD, founder of G-force. These two groups were responsible for defacing hundreds of Indian websites, and broke all previous records of cyber war history. Both of the Pakistani Groups then settled issues with NEO, an Indian hacker to conclude that 5 years running Cyber war.
While an interesting case from the perspective of flare-ups in defacement “wars” it also once again highlights the inattention to secure on the web servers of high profile sites. And it shows that with the right timing groups can exert greater influence than their resources and capabilities would normally allow. While the defacements appear to be completely unrelated to the recent terrorist attacks in Mumbai, the timing is certainly intriguing.