Is our GST system safe from a future Petya attack?

A day after the Petya attack, it is now recognized that those who pay ransom for Petya attack may not be able to get the decryption key and decrypt their system back to action.

The attack is now being dubbed as “Not a Ransomware but a Wiper”.

Experts are now realizing that the malware was by design not meant to restore data on payment of ransom. It could be a mistake that the creators of the malware have committed or it could be an attempt by a state actor who wanted to attack Ukraine and wanted to disguise and mislead the security world that it was in deed a ransomware.

For more details one can refer to this article

According to these experts, unlike other ransomware, this malware does not encrypt at the file level. It encrypts the Master Boot Record (MBR) and makes the computer not bootable. Then it scans through the local network and infects other machines using other exploits. The malware replaces MBR with its own version which displays the ransom message.

It is however observed that the current variant of the malware encrypts the Master Boot Record (MBR) but does not keep a copy of the original MBR. Hence on payment of the ransom, the system cannot be recovered.

It is reported that the first around 45 victims who paid the ransom of around US $10500 in Bitcoins have not received the decryption keys.

There is therefore no hope for Pipavav Port or Jawaharlal Nehru Port Trust (JNPT) or any other victim of Petya (also called NotPetya or GoldenEye) to recover the data. They need to dig into their back ups and re construct their lost data.

However, what we in India need to be concerned more about the future attacks of similar nature that may be more devastating than the WannaCry or Petya. We in India are now on the eve of GST implementation and the Aadhar Based Payment systems, both of which have a highly centralized system structure which if infected, can cause havoc across the country.

It is to be noted that the devastation that occurred in Ukraine by  Petya malware was because the malware first infected a program called MeDoc through an official update from the vendor. This was a tax accounting system perhaps widely used in the country and hence it spread like wild fire.

When our GST is in place, we will have a “One Country- One Tax” system and it could bring in many benefits of its own. But at the same time, it may also turn out to be a “One Malware infection Point” in place and God forbid, if this is infected the country’s economic infrastructure may come down.

In a recent press statement, the authorities in charge of GST have stated that due to lack of time, they were not able even to complete the “Functional Testing” fully after the changes that continued upto the last minute. It is therefore reasonable to expect that “Security Testing” has not been also completed.

It is hoped that nothing will go wrong as we function under the Amir Khan’s “Three idiot’s Principle” that “If you believe All is well, then everything will be fine”.

I am sure that enough Poojas have been conducted across the country to ensure that the system works fine. If not, we need to organize such poojas to coincide with the launching of the GST at the midnight hour tomorrow.

But the Murphy’s law says that “If anything can go wrong, it will” and security observers have more faith in this principle than the Three Idiot’s principle.

In a country like India which has a constant terror threat supported by countries like China, there is every possibility that what may normally not go wrong statistically may also go wrong since there are enemies working on destroying the country both from outside and also from within including the political parties like Congress, TMC, National Conference, Communists etc. Hence even if a small vulnerability is found in a system like GST, the possibilities of it being exploited are near certain.

Our response to Petya should therefore include how we face a situation where a Petya type of destructive malware spreads through the GST system.

The first thing the GST authorities as well as all individual assesses should do is to always keep a 100% back up of every document that is created and processed in the system and that such back ups should be maintained in an off the network system which is well protected with a good malware protection system. GST needs to maintain a robust DRP/BCP system to have a parellel system ready for switch over in case the main system comes under a Cyber Attack.

All businesses should ensure that they donot link their operational computers directly to the GST system but use a separate computer to upload and down load documents to GST. Any transfer of files from their current accounting computers and the GST connected computer should be done securely avoiding spread of any malware during the transfer process. Similarly, the main accounting system should be insulated from normal internet activities including e-mail and web surfing. SMEs may find this burdensome but if they need to avoid regretting later, this is a small investment they need to consider.

Since the GST system was built when WannaCry had not yet been recognized as a big threat, it is possible that it might have used all the vulnerabilities that the recent set of malwares have exploited.

I hope the security agencies will be upto the task to super impose ransomware protection on the current GST system and ensure that our national system is well protected.

Refer articles:

GST Network safe from global malware attack, says CEO Prakash Kumar

No time to test software now, says GSTNetwork chairman Navin Kumar

At the same time, for whatever it is worth, we need to declare the GST system as a “Protected System” under Section 70 of ITA 2008 and also make it public that any attack on the GST system will be considered as a “Cyber Terrorist” attack which can immediately invoke international treaties for both investigation and protection.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

5 Responses to Is our GST system safe from a future Petya attack?

  1. Even the FinMin Mr Jaitley was on record last week with the same statement… No time for security.

    Angels will soon fear to visit where fools tread!

    About JNPT .. it was interesting to see the absence of NCIIPC and the NCSC flew down to have a chat with them. It remains to be seen how their “reasonable” security is failing them. Against this backdrop I heard that the DG of CERT was boasting abouy the safety of Indian entities.

    Just demonstrates the preparedness or incident response capability at the national level. We are still shooting from the hip and calling ourselves global marksmen!

  2. Marla Mccall says:

    Bitcoin has shown rapid increases over the last years and there are now those that will claim that the success is soon to burst and Bitcoin plummet. Some of us still support the idea of an independent currency away from the control of the financial establishment. We do not accept that the currency is past it’s best. We will be sticking with Bitcoin and I am quite certain that it will continue to rise more rapidly than in the past.

  3. Ward Hewitt says:

    Bitcoin has seen rapid growth during the last years and there will be those who will claim that the success is soon to burst and Bitcoin crumble. Those of us still support the idea of a user owned system outside of the reach of the banks. We will not accept that Bitcoin is finished. We shall be staying with Bitcoin and I am quite certain that Bitcoin will keep rising faster than in the past.

  4. Bitcoin has experienced rapid increases over the last years and there are now some that will claim that the success is about to burst and Bitcoin plummet. Some of us still support the concept of a user owned outside of the reach of the financial establishment. We don’t believe that the currency is past it’s best. We shall be staying with Bitcoin and are quite confident that it will continue to rise more steeply than previously.

    • It is clear from this and the previous comment that a Bitcoin support system is at work to plant favourable content. The day of Bitcoin demise is not far…at least in India. Elsewhere, if economies want to commit harakiri, they are welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.