About 3,000 internet connections, including those of the Ministry of Defence, security agencies, the Central Bureau of Intelligence and banks in Delhi, have been found to be compromised, probably for snooping from foreign locations, according to a report submitted by cyber security experts to government.
While computers in these organisations haven't been hacked, a vulnerability in the modems they use may have allowed outsiders access to information, the Indian Infosec Consortium said.
"About 3,000 internet connections in Delhi are compromised, including that of defence, CBI, election officers. They are being accessed using servers abroad. We have shared a detailed report with Telecom Minister Kapil Sibal who has promised prompt action," IIC cyber security analyst Jiten Jain told PTI.
The list includes the MoD at South Block, the deputy secretary of the cabinet secretariat at the Rashtrapati Bhawan, the chief of naval staff in C-Wing at South Block, the air force communication centre at Vayu Bhawan, the zonal officer of the controller of defence accounts at Delhi Cantonment, and the directorate of income tax (Investigation) at Jhandewalan.
Some connections at the office of public telecom firm MTNL were also compromised. Jain said the consortium has also submitted a report to security agencies for immediate action and correction of their systems. Over 99 per cent of the 3,000 connections surveyed by the IIC were possible victims of snooping.
IIC is a group of 20,000 cyber security experts pitching to become the first line of cyber defence for India and develop indigenous cyber security products. The researchers said they believe the threat emanates from a vulnerability due to technical settings in modems imported and sold by most Indian telecom operators.
"All of the devices included in the research were imported. I have not seen Indian telecom operators providing modem or routers of any Indian company. All of them are made by foreign companies, which is making systems vulnerable and susceptible to espionage," Jain said.
The report said users of these vulnerable modems could be directed to malicious servers overseas instead of going through domain name system servers to a desired website. A DNS server helps to connect a user to the server that hosts the desired website. The consortium found the DNS settings of modems, also known as Internet routers, had been manipulated.
The report revealed that the primary DNS internet address in the modems belonged to servers in China, Ukraine, the Netherlands and France, with most of them in the US.\
"Normally, the primary DNS servers should be on the network of actual Internet connection provider, but we found it is of malicious foreign servers which were suspicious and must have been used for phishing and traffic interception and diversion through a specific route," Jain said.
The server located abroad may connect to the desired website or to a fake website that appears authentic. Jain said it was not possible to pinpoint which country may be spying on these systems due to the complex structure of the internet. The IIC used the telephone directory of a public sector company to find out which entities may have been targeted by cyber spies.
It also found that Internet connections provided by a leading private telecom operator were vulnerable. However, the entities that may have been targeted could not be ascertained because the company doesn't have a directory service, Jain said.
The IIC is working on a service that will check if routers have been infected and whether their DNS settings need to be corrected, Jain said.