#Fact Check – Analysis of Viral Claims Regarding India's UNSC Permanent Membership

Introduction

The unprecedented cyber espionage attempt on the Indian Air Force has shocked the military fraternity in the age of the internet where innovation is vital to national security. The attackers have shown a high degree of expertise in their techniques, using a variant of the infamous Go Stealer and current military acquisition pronouncements as a cover to obtain sensitive information belonging to the Indian Air Force. In this recent cyber espionage revelation, the Indian Air Force faces a sophisticated attack leveraging the infamous Go Stealer malware. The timing, coinciding with the Su-30 MKI fighter jets' procurement announcement, raises serious questions about possible national security espionage actions.

A sophisticated attack using the Go Stealer malware exploits defense procurement details, notably the approval of 12 Su-30 MKI fighter jets. Attackers employ a cunningly named ZIP file, "SU-30_Aircraft_Procurement," distributed through an anonymous platform, Oshi, taking advantage of heightened tension surrounding defense procurement.

Advanced Go Stealer Variant:

The malware, coded in Go language, introduces enhancements, including expanded browser targeting and a unique data exfiltration method using Slack, showcasing a higher level of sophistication.

Strategic Targeting of Indian Air Force Professionals:

The attack strategically focuses on extracting login credentials and cookies from specific browsers, revealing the threat actor's intent to gather precise and sensitive information.

Timing Raises Espionage Concerns:

The cyber attack coincides with the Indian Government's Su-30 MKI fighter jets procurement announcement, raising suspicions of targeted attacks or espionage activities.

The Deceitful ZIP ArchiveSU-30 Aircraft Acquisition

The cyberattack materialised as a sequence of painstakingly planned actions. Using the cleverly disguised ZIP file "SU-30_Aircraft_Procurement," the perpetrators took benefit of the authorisation of 12 Su-30 MKI fighter jets by the Indian Defense Ministry in September 2023. Distributed via the anonymous file storage network Oshi, the fraudulent file most certainly made its way around via spam emails or other forms of correspondence.

The Spread of Infection and Go Stealer Payload:

The infiltration procedure progressed through a ZIP file to an ISO file, then to a.lnk file, which finally resulted in the Go Stealer payload being released. This Go Stealer version, written in the programming language Go, adds sophisticated capabilities, such as a wider range of browsing focussed on and a cutting-edge technique for collecting information using the popular chat app Slack.

Superior Characteristics of the Go Stealer Version

Different from its GitHub equivalent, this Go Stealer version exhibits a higher degree of complexity. It creates a log file in the machine owned by the victim when it is executed and makes use of GoLang utilities like GoReSym for in-depth investigation. The malware focuses on cookies and usernames and passwords from web browsers, with a particular emphasis on Edge, Brave, and Google Chrome.

This kind is unique in that it is more sophisticated. Its deployment's cyber enemies have honed its strengths, increasing its potency and detection resistance. Using GoLang tools like GoReSym for comprehensive evaluation demonstrates the threat actors' careful planning and calculated technique.

Go Stealer: Evolution of Threat

The Go Stealer first appeared as a free software project on GitHub and quickly became well-known for its capacity to stealthily obtain private data from consumers who aren't paying attention. Its effectiveness and stealthy design rapidly attracted the attention of cyber attackers looking for a sophisticated tool for clandestine data exfiltration. It was written in the Go programming language.

Several cutting-edge characteristics distinguish the Go Stealer from other conventional data thieves. From the beginning, it showed a strong emphasis on browser focusing on, seeking to obtain passwords and login information from particular websites including Edge, Brave, and Google Chrome.The malware's initial iteration was nurtured on the GitHub database, which has the Go Stealer initial edition. Threat actors have improved and altered the code to serve their evil goals, even if the basic structure is freely accessible.

The Go Stealer version that has been discovered as the cause of the current internet spying by the Indian Air Force is not limited to its GitHub roots. It adds features that make it more dangerous, like a wider range of browsers that may be targeted and a brand-new way to exfiltrate data via Slack, a popular messaging app.

Secret Communications and Information Expulsion

This variation is distinguished by its deliberate usage of the Slack API for secret chats. Slack was chosen because it is widely used in company networks and allows harmful activity to blend in with normal business traffic. The purpose of the function "main_Vulpx" is specifically to upload compromised information to the attacker's Slack route, allowing for covert data theft and communication.

The Time and Strategic Objective

There are worries about targeted assaults or espionage activities due to the precise moment of the cyberattack, which coincides with the Indian government's declaration of its acquisition of Su-30 MKI fighter fighters. The deliberate emphasis on gathering cookies and login passwords from web browsers highlights the threat actor's goal of obtaining accurate and private data from Indian Air Force personnel.

Using Caution: Preventing Possible Cyber Espionage

• Alertness Against Misleading Techniques: Current events highlight the necessity of being on the lookout for files that appear harmless but actually have dangerous intent. The Su-30 Acquisition ZIP file is a stark illustration of how these kinds of data might be included in larger-scale cyberespionage campaigns.
• Potentially Wider Impact: Cybercriminals frequently plan coordinated operations to target not just individuals but potentially many users and government officials. Compromised files increase the likelihood of a serious cyber-attack by opening the door for larger attack vectors.
• Important Position in National Security: Recognize the crucial role people play in the backdrop of national security in the age of digitalisation. Organised assaults carry the risk of jeopardising vital systems and compromising private data.
• Establish Strict Download Guidelines: Implement a strict rule requiring file downloads to only come from reputable and confirmed providers. Be sceptical, particularly when you come across unusual files, and make sure the sender is legitimate before downloading any attachments.
• Literacy among Government Employees: Acknowledge that government employees are prime targets as they have possession of private data. Enable people by providing them with extensive cybersecurity training and awareness that will increase their cognition and fortitude.

Conclusion

Indian Air Force cyber surveillance attack highlights how sophisticated online dangers have become in the digital era. Threat actors' deliberate and focused approach is demonstrated by the deceptive usage of a ZIP archive that is camouflaged and paired with a sophisticated instance of the Go Stealer virus. An additional level of complication is introduced by integrating Slack for covert communication. Increased awareness, strict installation guidelines, and thorough cybersecurity education for government employees are necessary to reduce these threats. In the digital age, protecting national security necessitates ongoing adaptation as well as safeguards toward ever-more potent and cunning cyber threats.

References

• ‍https://www.overtoperator.com/p/indianairforcemalwaretargetpotential
• ‍https://cyberunfolded.in/blog/indian-air-force-targeted-in-sophisticated-cyber-attack-with-su-30-procurement-zip-file#go-stealer-a-closer-look-at-its-malicious-history
• ‍https://thecyberexpress.com/cyberattack-on-the-indian-air-force/https://therecord.media/indian-air-force-infostealing-malware

‍

Introduction:

Welcome to the third edition of our blog on digital forensics series. In our previous blog we discussed the difference between copying, cloning, and imaging in the context of Digital Forensics, and found out why imaging is a better process. Today we will discuss the process of evidence collection in Digital Forensics. The whole process starts with making sure the evidence collection team has all necessary tools required for the task.

Investigating Tools and Equipment:

Below are some mentioned tools that the team should carry with them for a successful evidence collection:

• Anti-static bags
• Faraday bags
• Toolkit having screwdrivers(nonmagnetic), scissors, pins, cutters, forceps, clips etc.
• Rubber gloves
• Incident response toolkit (Software)
• Converter/Adapter: USB, SATA, IDE, SCSI
• Imaging software
• Volatile data collection tools (FTK Imager, Magnet Forensics RAM Capture)
• Pens, permanent markers
• Storage containers
• Batteries
• Video cameras
• Note/sketch pads
• Blank storage media
• Write-Blocker device
• Labels
• Crime scene security tapes
• Camera

What sources of Data are necessary for Digital Evidence?

• Hard-Drive (Desktop, Laptop, External, Server)
• Flash Drive
• SD Cards
• Floppy Disks
• Optical Media (CD, DVD)
• CCTV/DVR
• Internal Storage of Mobile Device
• GPS (Mobile/Car)
• Call Site Track (Towers)
• RAM

‍

‍

Evidence Collection

The investigators encounter two primary types of evidence during the course of gathering evidence: non-electronic and electronic evidence.

The following approaches could be used to gather non-electronic evidence:

• In the course of looking into electronic crimes, recovering non-electronic evidence can be extremely important.  Be cautious to make sure that this kind of evidence is retrieved and kept safe. Items that may be relevant to a later review of electronic evidence include passwords, papers or printouts, calendars, literature, hardware and software manuals, text or graphical computer printouts, and photos.  These items should be secured and kept for further examination.
• They are frequently found close to the computer or other related hardware.  Locating, securing, and preserving all evidence is required by departmental procedures.

Three scenarios arise for the collection of digital evidence from computers: 

Situation 1: The desktop is visible, and the monitor is on.

• Take a picture of the screen and note the data that is visible. 
• Utilize tools for memory capturing to gather volatile data.
• Look for virtual disks. If so, gather mounted data's logical copies.
• Give each port and connection a label.
• Take a picture of them.
• Turn off network access to stop remote access.
• Cut off the power or turn it off.
• Locate and disconnect the hard drive by opening the CPU chassis.
• Take all evidence and place it in anti-magnetic (Faraday) bags.
• Deliver the evidence to the forensic lab.
• Keep the chain of custody intact.

Situation 2: The monitor is turned on, but it either has a blank screen (sleep mode) or an image for the screensaver.

• Make a small mouse movement (without pressing buttons). The work product should appear on the screen, or it should ask for a password.
• If moving the mouse does not result in a change to the screen, stop using the mouse and stop all keystrokes.
• Take a picture of the screen and note the data that is visible.
• Use memory capturing tools to gather volatile data (always use a write blocker to prevent manipulation during data collection).
• Proceed further in accordance with Situation 1.

Situation 3: The Monitor Is Off

• Write down the "off" status.
• After turning on the monitor, check to see if its status matches that of situations 1 or 2 above, and then take the appropriate action.
• Using a phone modem, cable, confirm that you are connected to the outside world. Try to find the phone number if there is a connection to the phone.
• To protect evidence, take out the floppy disks that might be there, package each disk separately, and label the evidence.  Put in a blank floppy disk or a seizure disk, if one is available. Avoid touching the CD drive or taking out CDs.
• Cover the power connector and every drive slot with tape.
• Note the serial number, make, and model.
• Take a picture of the computer's connections and make a diagram with the relevant cables.
• To enable precise reassembly at a later date, label all connectors and cable ends, including connections to peripheral devices. Put "unused" on any connection ports that are not in use.  Recognize docking stations for laptop computers in an attempt to locate additional storage media.
• All evidence should be seized and placed in anti-magnetic (Faraday) bags.
• All evidence should be seized and placed in anti-magnetic (Faraday) bags.
• Put a tag or label on every bag.
• Deliver the evidence to the forensic lab.
• Keep the chain of custody intact. 

Following the effective gathering of data, the following steps in the process are crucial: data packaging, data transportation, and data storage.

The following are the steps involved in data packaging, transportation, and storage:

Packaging:

• Label every computer system that is gathered so that it can be put back together exactly as it was found

When gathering evidence at a scene of crime,

• Before packing, make sure that every piece of evidence has been appropriately  labeled and documented.
• Latent or trace evidence requires particular attention, and steps should be taken to preserve it.
• Use paper or antistatic plastic bags for packing magnetic media to prevent static electricity. Do not use materials like regular plastic bags (instead use faraday bags) that can cause static electricity. 
• Be careful not to bend, fold, computer media like tapes, or CD-ROM.
• Make sure that the labels on every container used to store evidence are correct.

Transporting

• Make sure devices are not packed in containers and are safely fastened inside the car to avoid shock and excessive vibrations. Computers could be positioned on the floor of the car,and monitors could be mounted on the seat with the screen down .

When transporting evidence—

• Any electronic evidence should be kept away from magnetic sources.  Radiation transmitters, speaker magnets, and heated seats are a few examples of items that can contaminate electronic evidence.
• Avoid leaving electronic evidence in your car for longer than necessary. Electronic devices can be harmed by extremes in temperature, humidity.
• Maintain the integrity of the chain of custody while transporting any evidence.

Storing

• Evidence should be kept safe and away from extremes in humidity and temperature. Keep it away from dust, moisture, magnetic devices, and other dangerous impurities.  Be advised that extended storage may cause important evidence—like dates, times, and system configurations—to disappear. Because batteries have a finite lifespan, data loss may occur if they malfunction. Whenever the battery operated device needs immediate attention, it should be informed to the relevant authority (eg., the chief of laboratory, the forensic examiner, and the custodian of the evidence). 

CONCLUSION:

Thus, securing the crime scene to packaging, transportation and storage of data are the important steps in the process of collecting digital evidence in forensic investigations. Keeping the authenticity during the process along with their provenance is critical during this phase. It is also important to ensure the admissibility of evidence in legal proceedings. This systematic approach is essential for effectively investigating and prosecuting digital crimes.

‍

Introduction

Intricate and winding are the passageways of the modern digital age, a place where the reverberations of truth effortlessly blend, yet hauntingly contrast, with the echoes of falsehood. The latest thread in this fabric of misinformation is a claim that has scurried through the virtual windows of social media platforms, gaining the kind of traction that is both revelatory and alarming of our times. It is a narrative that speaks to the heart of India's cultural and religious fabric—the construction of the Ram Temple in Ayodhya, a project enshrined in the collective consciousness of a nation and steeped in historical significance.

The claim in question, a spectre of misinformation, suggests that the Ram Temple's construction has been covertly shifted 3 kilometres from its original, hallowed ground—the birthplace, as it were, of Lord Ram. This assertion, which spread through the echo chambers of social media, has been bolstered by a screenshot of Google Maps, a digital cartographer that has accidentally become a pawn in this game of truth and deception. The image purports to showcase the location of Ram Mandir as distinct and distant from the site where the Babri Masjid once stood, a claim went viral on social media and has caught the public's reactions.

The Viral Tempest 

In the face of such a viral tempest, IndiaTV's fact-checking arm, IndiaTVFactCheck, has stepped into the fray, wielding the sword of veracity against the Goliath of falsehood. Their investigation into this viral claim was meticulous, a deep dive into the digital representations that have fueled this controversy. Upon examining the viral Google Maps screenshot, they noticed markings at two locations: one labelled as Shri Ram Janmabhoomi Temple and the other as Babri Masjid. The latter, upon closer inspection and with the aid of Google's satellite prowess, was revealed to be the Shri Sita-Ram Birla Temple, a place of worship that stands in quiet dignity, far removed from the contentious whispers of social media.

The truth, as it often does, lay buried beneath layers of user-generated content on Google Maps, where the ability to tag any location with a name has sometimes led to the dissemination of incorrect information. This can be corrected, of course, but not before it has woven itself into the fabric of public discourse. The fact-check by IndiaTV revealed that the location mentioned in the viral screenshot is, indeed, the Shri Sita-Ram Birla Temple and the Ram Temple is being constructed at its original, intended site.

This revelation is not merely a victory for truth over falsehood but also a testament to the resilience of facts in the face of a relentless onslaught of misinformation. It is a reminder that the digital realm, for all its wonders, is also a shadowy theatre where narratives are constructed and deconstructed with alarming ease. The very basis of all the fake narratives that spread around significant events, such as the consecration ceremony of the Ram Temple, is the manipulation of truth, the distortion of reality to serve nefarious ends of spreading misinformation.

Fake Narratives; Misinformation

Consider the elaborate fake narratives spun around the ceremony, where hours have been spent on the internet building a web of deceit. Claims such as 'Mandir wahan nahin banaya gaya' (The temple is not being built at the site of the demolition) and the issuance of new Rs 500 notes for the Ram Mandir were some pieces of misinformation that went viral on social media amid the preparations for the consecration ceremony. These repetitive claims, albeit differently worded, were spread to further a single narrative on the internet, a phenomenon that a study published in Nature said could be attributed to people taking some peripheral cues as signals for truth, which can increase with repetition.

The misinformation incidents surrounding the Ram Temple in Ayodhya are a microcosm of the larger battle between truth and misinformation. The false claims circulating online assert that the ongoing construction is not taking place at the original Babri Masjid site but rather 3 kilometres away. This misinformation, shared widely on social media has been debunked upon closer examination. The claim is based on a screenshot of Google Maps showing two locations: the construction site of the Shri Ram Janmabhoomi Temple and another spot labeled 'Babar Masjid permanently closed' situated 3 kilometers away. The assertion questions the legitimacy of demolishing the Babri Masjid if the temple is being built elsewhere. However, a thorough fact-check reveals the claim to be entirely unfounded.

Deep Scrutiny

Upon scrutiny, the screenshot indicates that the second location marked as 'Babar Masjid' is, in fact, the Sita-Ram Birla Temple in Ayodhya. This is verified by comparing the Google Maps satellite image with the actual structure of the Birla Temple. Notably, the viral screenshot misspells 'Babri Masjid' as 'Babar Masjid,' casting doubt on its credibility. Satellite images from Google Earth Pro clearly depict the construction of a temple-like structure at the precise coordinates of the original Babri Masjid demolition site (26°47'43.74'N 82°11'38.77'E). Comparing old and new satellite images further confirms that major construction activities began in 2011, aligning with the initiation of the Ram Temple construction.

Moreover, existing photographs of the Babri Masjid, though challenging to precisely match, share essential structural elements with the current construction site, reinforcing the location as the original site of the mosque. Hence the viral claim that the Ram Temple is being constructed 3 kilometers away from the Babri Masjid site is indubitably false. Evidence from historical photographs, satellite images and google images conclusively refute this misinformation, attesting that the temple construction is indeed taking place at the same location as the original Babri Masjid.

Viral Misinformation: A false claim based on a misleading Google Maps screenshot suggests the Ram Temple construction in Ayodhya has been covertly shifted 3 kilometres away from its original Babri Masjid site.

Fact Check Revealed: IndiaTVFactCheck debunked the misinformation, confirming that the viral screenshot actually showed the Shri Sita-Ram Birla Temple, not the Babri Masjid site. The Ram Temple is indeed being constructed at its original, intended location, exposing the falsehood of the claim.

Conclusion 

The case of the Ram Temple is a pitiful reminder of the power of misinformation and the significance of fact-checking in preserving the integrity of truth. It is a clarion call to question, to uphold the integrity of facts in a world increasingly stymied in the murky waters of falsehoods. Widespread misinformation highlights the critical role of fact-checking in dispelling false narratives. It serves as a reminder of the ongoing battle between truth and misinformation in the digital age, emphasising the importance of upholding the integrity of facts for a more informed society. 

References 

• https://www.indiatvnews.com/fact-check/fact-check-is-ram-temple-being-built-3-km-away-from-the-birthplace-here-truth-behind-viral-claim-2024-01-19-912633
• https://www.thequint.com/news/webqoof/misinformation-spread-around-events-ayodhya-ram-mandir-g20-elections-bharat-jodo-yatra

‍