BOSS OS Hack leads to Indian Military and Government System

What is BOSS

BOSS (Bharat Operating System Solutions) is a GNU/Linux distribution developed by C-DAC, Chennai in order to benefit the usage of Free/Open Source Software in India. What sets BOSS apart is that it was also designed to be used by Indian Army, Indian Navy and various government setups including CDAC the R&D department of Indian government.

Hackers gain access to Indian Military and Government System

Hackers on terms of Anonymity shared that it was 5th October 2015, another day until they hit a jackpot and later managed to infect the “Update Servers” (mirror) of BOSS , and used a 0 day vulnerability to push an updated repository with their C&C Server (Command and Control Server) exploit embedded into it.

Although “until they hit a jackpot” seems a bit off here as the exploit used while hacking BOSS servers include various exploits including ECHOWRECKER and DOPU , these exploits surfaced after Shadow Brokers released the hacking inventory of NSA.

NSA with their Hacking tools helped into hacking BOSS

A question pops up here, how Hackers used tools which were manufactured and maintained by NSA to gain access of Indian Military and Government infrastructure? These hacking exploits were not yet released by Shadow Brokers, so how these Hackers were able to use tools maintained by NSA ? As stated earlier the hack was done on October 2015 at a time when no one knew about “Shadow Brokers” .

What was achieved by hacking BOSS

Hackers told us that after infecting main repository server of Bharat Operating System Solutions , hackers had to work a way to distribute their C&C Virus into every BOSS user which according to them was a “very easy thing to do” , as they just pushed an update, but there was another issue.

After 2 days they had 3 Terabytes of Data flowing back to their servers , a lot of data was very interesting but some Government Offices had “Gigabytes of Pirated Content” which was nothing but a waste of time and resource.

Majority of Indian Army and Indian Navy systems were “Air Gaped” so a custom rubber ducky concept was used to upload all text and presentation documents to C&C Servers.

BOSS was not Defaced

The street hackers we see around would believe a “deface” as an act of Hack, but every time a site gets defaced means the hackers missed an opportunity due to many reasons, may that be lack of skill to further penetrate or act of immaturity that not fully utilizing the access they just go with a lame “Deface”.

Digital India and Threats

India is embracing “Digital India” which is a good initiative in the long run. They are depending more on their own indigenous development, such development does give the ease of mind that whatever is written inside the code of a binary is safe but lacks the “extensive pentesting” required to keep a network secure and safe. The BOSS Hacking of Indian Military (Army and Navy) and Indian Government is a reminder that at times adopting your own technology can do more harm than good.
BOSS is India’s answer to hacks that created havoc in China and the US, or so they claim.

While the main purpose behind using BOSS is to make Indian IT machinery hack-proof, it will also aid towards scaling down the country-wide use of Microsoft Windows in government offices.The current version of BOSS is an update over its 2007-predecessor, that lacked user-friendly features and speedier upgrades.

“We have no dearth of developers here. BOSS has almost all the features that one can get in, say, Windows. The earlier version was less user-friendly and had few features. We will seek help of Indian software biggies to develop it further” confirmed an official.