##### threat intelligence. **LEARN MORE** # Hacktivism: India vs. Pakistan **Posted by RFSID on February 11, 2016 in Cyber Threat** **Intelligence** ----- **Floodlit international border between India and Pakistan, as seen from the International Space Station.** **[When India gained independence from Britain in 1947, a new, predominantly Muslim nation](http://learning.blogs.nytimes.com/2011/08/15/august-15-1947-india-and-pakistan-become-nations/)** **of Pakistan was created during what was called the “partition.”** **[During this partition, about 15 million people were displaced and a million more died. The](http://www.motherjones.com/media/2007/10/great-partition-making-india-and-pakistan)** **“hastily drawn” border by the departing British, which separated Pakistan from the mostly** **Hindu India, never fully resolved all the issues.** **Several wars between the two nations ensued and tensions continue to this day. A floodlit,�** **1250-mile portion of the current international border (a.k.a. the Line of Control) is visible in a** **[photo taken from the International Space Station.](http://qz.com/516864/the-india-pakistan-border-is-so-closely-guarded-that-it-can-be-seen-from-space/)** **Indian soldiers (in present day Bangladesh) during the third war between India and Pakistan in December** **1971.** **The continuing rivalry between India and Pakistan has spilled over into cyberspace, very** **visibly with hacktivism. This post reviews that activity and demonstrates how high-profile�** **events and anniversaries (e.g., Indian Independence Day on August 15, Pakistan’s** **[Independence Day on August 14, the Mumbai attacks on November 26, and even cricket](http://www.ndtv.com/topic/mumbai-attacks)** **matches between the two countries) often coincide with increased cyber activity.** ### The Cyber Dimension to India and Pakistan’s Cricket Rivalry ----- **An India versus Pakistan cricket match, in March 14, results in an Indian university website being hacked.** **The game of cricket provides a perfect field for a great rivalry between India and Pakistan.�** **Wins and losses have geopolitical, social, and cyber repercussions on both sides.** **Conversely, geopolitical and social tensions have led to matches being postponed or** **cancelled.** **On March 2, 2014, Pakistan defeated India in a cricket match in the Asia Cup held in Dhaka,** **Bangladesh. The next day (March 3), in Meerut, India, 67 Kashmiri students at Swami** **Vivekanand Subharti University were suspended for having cheered for Pakistan and** **distributing sweets after their win.** **Then on March 5, 2014, the website of Swami Vivekanand Subharti University was hacked** **by a group claiming to be the Pakistan Cyber Army (a.k.a. Bangladesh Cyber Army) in** **response to expelling pro-Pakistan students.** **Finally, on March 7, 2014 the sedition charges against expelled students are dropped but** **they could still face prosecution over the incident.** **Based on this past event, it’s likely that cyber activity will take place between Indian and** **Pakistani actors before, during, and after the next cricket match between India and Pakistan** **[on March 19 in Dharamsala, India.](http://www.espncricinfo.com/icc-world-twenty20-2016/content/story/951215.html)** ### A Predictable Pattern on Independence Days ----- **respectively, create a predictable pattern (at least over the past three years) of attacks and** **retaliatory strikes by the opposing hacker groups, as shown in the timeline below. An uptick** **in such activity before and after this year’s independence days shouldn’t come as a surprise.** ### Pakistan Cyber Army Targeting India: A Snapshot 2007 Onward **Let’s take a closer look at the activities of the Pakistan Cyber Army (PCA), which was** **involved in the cricket incident described earlier.** **The timeline below shows that the PCA has been consistently active at least since the 2007** **hacking, defacing and shutting down high-profile Indian websites. Government and private�** **sites have been targeted including Indian Oil and Natural Gas Corporation (a Fortune 500** **company), Indian Railways, the Central Bureau of Investigation, Central Bank of India, and** **the State Government of Kerala.** ----- **The PCA’s “public announcement” of its operations against India and the PCA’s motives are** **described in a document on Pastebin as shown in the image below, conveniently cached in** **Recorded Future. This particular message is related to PCA’s attacks to commemorate** **Pakistan’s independence day (August 14).** ----- **When we investigate the PCA’s TTPs (tactics, techniques, and procedures) to learn how** **they operate, we find examples like tutorials on how to set up phishing attacks as shown in�** **this Facebook post. Though of course it’s hard to establish, this is indeed a PCA actor who** **posted this:** ----- **Below is another example where SQL injection attacks are allegedly used by Pakistani** **hackers to compromise Indian websites.** **[In their research into PCA’s activities, ThreatConnect and FireEye also reported finding�](https://www.threatconnect.com/debugging-pca-from-pakbugs-to-bitterbugs/)** **possible links to personas with skills in exploiting Web applications and services, identifying** **zero-day vulnerabilities, SQL injection, WEP cracking, and spear phishing.** **In some instances the hackers chose to identify themselves — for example, the hacker** **behind India’s Kerala state website defacement in September 2015 identified himself as�** **“Faisal 1337” as shown in the image below.** **If we widen our view again and look at hackers from Pakistan and India targeting each other** **over the last seven months, we can see an interesting retaliatory pattern of attacks; the** **[latest major response being Indian hackers avenging the deadly January 2, 2016 attack on](http://timesofindia.indiatimes.com/india/Pathankot-terror-attack-Jihadis-made-dry-runs-at-Pakistani-air-base-intelligence-sources-say/articleshow/50461180.cms)** **h** **I di** **Ai F** **b** **i** **P** **h** **k** ----- **There are a number of hacker groups in India including the Indian Black Hats who reportedly** **claimed responsibility for the January 7 (timeline image above) revenge for the attack on** **Pathankot, and the Mallu Cyber Soldiers who were said to avenge the attacks on the Kerala** **state government website.** **When looking at hacking methods used by these groups, given that they go after weakly** **secured websites or those with unpatched vulnerabilities, one can expect to find generally�** **applicable instructions and techniques used and shared by various groups, especially when** **they self-identify themselves under the broad umbrella of “India hackers.” The methods used** **by these groups include SQL injection and PHP Web application hacks as shown by the** **mentions below.** ----- **The Pastebin references mentions a tool “D3LT4” to scan websites for SQL injection vulnerabilities, and** **further references to PHP scripts which can be used to hack Web applications.** ### Conclusion **The glimpses above hint at the many possible motivations and objectives of the cyber** **activities between India and Pakistan.** **These could range all the way from loosely affiliated hacktivist groups avenging attacks by�** **defacing symbols and institutions to more coordinated state-sponsored attacks, which will be** **covered in a future piece. The Line of Control (a.k.a. international border) between the two** **only serves as a symbol of adversarial tension and certainly not a barrier in the cyber realm.** ### Related Articles ----- **Analyzing the Patch Timeline for Zero-Day** **Exploits** **POS Malware Overview for the 2014 Holiday** **Shopping Season** **[The Russia-Ukraine Cyber Front Takes Shape](https://www.recordedfuture.com/russia-ukraine-cyber-front/)** **Mazar Android Bot: Threat or Not? Quick Threat** **Identification and Assessment Example�** ----- **Hacktivism: India vs. Pakistan** **_By RFSID on February 11, 2016_** **[Threat Intelligence and SIEM (Part 2) — Understanding Threat Intelligence](https://www.recordedfuture.com/siem-threat-intelligence-part-2/)** **_By Guillaume Dupont on February 9, 2016_** **[Improve Your Threat Intelligence Strategy With These Ideas](https://www.recordedfuture.com/threat-intelligence-strategy/)** **_By Pete Hugh on February 2, 2016_** **[How to Avoid the Common Pitfalls While Browsing the Web](https://www.recordedfuture.com/safe-internet-browsing/)** **_By Amanda on January 28, 2016_** **[7 Habits of Smart Threat Intelligence Analysts](https://www.recordedfuture.com/smart-threat-intelligence-analysts/)** **_By Amanda on January 26, 2016_** **Search our blog...** #### � ----- ## See Recorded Future’s threat intelligence in action. ----- **About** **Contact** **Press** **Events** **Services** **P** **R** **O** **D** **U** **C** **T** **S** **Cyber Threat Intelligence** **Corporate Security** **Competitive Intelligence** **Defense Intelligence** **Web Intelligence Platform** **C** **U** **S** **T** **O** **M** **E** **R** **S** **Login** **Support Center** **Software Status** **Source Suggestion** **Developer Code** **Copyright © 2016 Recorded Future, Inc.** **[Privacy Policy](https://www.recordedfuture.com/privacy-policy/)** **[Terms of Use](https://www.recordedfuture.com/terms-of-use/)** **[API Terms of Use](https://www.recordedfuture.com/api-terms-of-use/)** **[Jobs](https://www.recordedfuture.com/jobs/)** -----