The Pakistani air force and other elements of its government were infiltrated online by foreign state-sponsored hackers as recently as this year, according to new information from a private cybersecurity firm.
The Irvine, California-based company Cylance released a report Monday saying that a group it calls “The White Company” hacked into various elements of Pakistan’s military and intelligence networks with the intent of stealing data and, later, openly harassing the government. Cylance first identified the intrusion in 2017 and says the hack may still pose a threat to the Pakistani government as well as others in the region.
The disclosure is concerning pertaining to a nuclear-armed nation like Pakistan, whose control over its arsenal of weapons has at times been a source of concern for Western leaders.
“It’s a pivotal country not just in South Asia but in global affairs,” says Kevin Livelli, director of threat intelligence for Cylance, citing Pakistan’s role as a lynchpin in U.S.-led efforts to fight regional terrorist groups like the Taliban, al-Qaida and the Haqqani network. “In our judgment, targeting the military is also particularly concerning.”
Spokespeople at the firm declined to say at this time which nation it believes sponsored the attack but said it was likely a country in the Middle East and one that seeks to emulate the cyberspace capabilities of the U.S. Livelli says he does not think that the perpetrator was the government of the U.S., Russia, China, North Korea, Iran, India, Israel, Great Britain, Canada, Australia or New Zealand – considered to be the world’s most powerful cyber actors. Cylance also did not reveal any information about what it believes the hackers stole.
Cylance and other private security firms have previously helped detect and publicize the presence of high-profile hacker groups operating in a realm that governments rarely discuss voluntarily. In 2014 Cylance revealed information about an Iranian operation it said was in retaliation for Stuxnet, a virus believed to have been developed by the U.S. and Israel in the 2000s to sabotage Iran’s burgeoning nuclear program. CyberStrike, a similar firm, detected a pro-Russian hacking group believed to have interfered in the 2016 and 2018 U.S. elections and coined the term Fancy Bear to refer to it.
Cylance said it shared information about the reported threat with counterparts in the U.S. government and with PakCERT, a non-governmental organization based in Karachi that, like other computer emergency response teams, is dedicated to identifying and protecting its country from cyberattacks.
In response to a request for comment, PakCERT in Pakistan did not officially confirm a cyberattack against the Pakistani military or government. U.S. intelligence agencies reached for comment did not immediately have information they could share. The Pakistani Embassy in Washington, D.C., did not immediately respond to requests for comment.
The reported attack comes at a precarious time for Pakistan, which resides in a dangerous neighborhood wedged between Afghanistan, Iran and India. The country is increasingly out of favor with the Trump administration and facing other recent high-profile cybersecurity threats. Cylance believes the attackers focused their attention on the air force because of its prominent role in the Pakistani government, including hosting its first cybersecurity center, launched earlier this year.
Livelli, a career investigator, says “a successful espionage operation targeting the Pakistani military would not just produce tactical and strategic insight into their operations but also into a range of other domestic and governmental concerns.”
Pakistan’s armed forces play an outsized role in its politics. Its powerful Inter-Services Intelligence or ISI, the Pakistan counterpart to the CIA, is deeply enmeshed in the civilian government and has waged multiple coups during its 70-year history.
Pakistan is also locked in a decades-old contest for regional influence with its rival and neighbor India. Prior U.S. administrations went to great lengths to maintain equal relations between the two countries for fear of upsetting a delicate, if imperfect, balance. These efforts took place despite concerns that elements of the Pakistan government reportedly turn a blind eye to or are even complicit in some activities of groups the U.S. considers terrorists operating in its rural northern reaches or along its border with Afghanistan and Iran.
The Trump administration, however, has taken a hard line against Islamabad, slashing billions in foreign military aid until such time it believes Pakistan is adequately cracking down on these groups. The Pentagon under Trump also took the bold step of renaming the integral military headquarters for the region, U.S. Pacific Command, as U.S. Indo-Pacific Command.
China took particular interest in Pakistan as a strategic partner in its “One Belt One Road” initiative to build trading infrastructure across the continent, though Islamabad has recently reconsidered the close partnership, according to some reports.
And reports persist that Pakistani scientists transferred centrifuge technology to North Korea in at least indirect support of Pyongyang’s nuclear program.
Like other influential countries, many malicious hackers have an interest in attacking Pakistan.
“You can imagine the Pakistani government and its military networks, servers and computers are going to be targets, and they’re going to be targeted by nation-state attackers,” says Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.
Cylance’s work to identify a group it says carried out this attack does not mean that the same group was not already known and under surveillance by other firms or governments, perhaps under a different name.
Cybersecurity experts and U.S. officials specializing in the increasingly significant realm agree that attributing the source of an attack is one of the most difficult aspects of their work. Hackers worldwide have developed increasingly advanced tools to either mask their identity or make it appear as though a third party is to blame.
Officials at Cylance say the scale of this attack – espionage designed to steal sensitive Pakistani information – and the resources needed to carry it out show that it must have had support from a nation-state. It centered on a campaign of spear-phishing to gain access to secure computers, detailed reconnaissance to identify the anti-virus programs that the Pakistani servers were using and secretive loopholes that allowed the hackers to remain undetected.
However the campaign appeared to shift focus in 2017, the Cylance report says, when pre-programmed malware began automatically ceasing to evade the Pakistani anti-virus programs, openly calling attention to itself.
“It was like ringing the fire alarm,” Livelli says. “They deliberately distracted attention and time and resources, and to confuse the victim into thinking something was wrong.”
Other countries’ assets in the region were targeted, the report claims, including China’s.