Wipro under Cyber Terror threat..”Breaking Bad” in action

It is a grim reminder to the hard times we live in that a threat has been made to WIPRO stating “If a ransom of Rs 500 crores is not made in “Bitcoins”, there would be a “Bio Attack” on Wipro employee’s through a poisoning of their  food chain system or through a drone dispersion of poison through air”. The implication of the threat received by WIPRO seems to be that RICIN,  a “Poison” extracted from castor seeds would be used to cause extensive death within WIPRO.

I consider this not as an issue concerning only WIPRO. This is a Terror threat and the risks may extend far beyond WIPRO. Hence let us proceed to start an extensive debate on the subject starting with this article.

What is RICIN Threat?

“RICIN” is a natural extract from Castor beans and is said to be easily extracted from waste dumps from castor oil processing industry. It can be transmitted through food, water, air or touch and causes death if ingested in lethal dosage. There is no antidote or vaccine available at this point of time to public for Ricin poisoning. But flushing out the poison from the system may help in survival of the victim if undertaken quickly.

Ricin became a household name because of a popular TV serial “Breaking Bad”  aired in US channels. In this serial, it was repeatedly referred to for killing some body without leaving a forensic trace in the body. It can be used as a powder, a mist, a pill or pellet, and can be dissolved in water and other liquids. This means that a person can contract Ricin poisoning via inhalation or ingestion or through touching a poisoned material such as a letter.

From the medical information available about RICIN poisoning, we understand that

The initial symptoms of Ricin poisoning depend upon both the degree and route of exposure.  It may include Fever, Vomiting, Nausea, Severe cough, Abdominal pain, Diarrhea, Dehydration, Flu-like symptoms. Symptoms may occur 12-24 hours after exposure and death can be caused within 72 hours.

(Hence doctors do not have sufficient time to exhaust all “Tests” before deciding on the course of treatment and should not waste time in recommending tests of various kinds.)

Symptomatic poisoning requires to be treated by giving victims supportive medical care to minimize the effects of the poisoning. It is suggested that Care could include such measures as helping victims breathe, giving them intravenous fluids giving them medications to treat conditions such as seizure and low blood pressure, flushing their stomachs with activated charcoal (if the Ricin has been very recently ingested), or washing out their eyes with water if their eyes are irritated.

(This means that the patient should be immediately moved to a proper hospital and medical practitioners should avoid taking the risk of waiting for the symptoms to subside in the ordinary course.)

The medical fraternity may take suitable steps to spread awareness of RICIN poisoning and its symptoms to all medical practitioners.

Now let’s come back to the news report and what the Police can do following the reporting of the incident. The threat has come through an e-mail in the name of Ramesh2@protonmail.com which obviously is a fake ID and requires effort to decypher.

Incidentally, the “Privacy” supporters who often cry foul whenever “Security” concerns are raised and swear by the ToR browsers and the anonymization of internet communication, should now realize what is the threat of such unhindered anonymity.

Similarly, the “Bitcoin” supporters also need to realize how “Bitcoin” has irrevocably become the currency of the terrorists.

Our security response to the incident should be comprehensive and address all direct and indirect issues that enable such terror threats to be held out even in future.

We may try to understand the full details of information available in public domain through this  news report

According to this report,

The anonymous email has been sent to multiple recipients, including senior officials of the firm, on 5th May 2017 and claimed that if the Rs 500-crore payment was not made within May 25, the sender would attack Wipro offices in the city using Ricin. The email has reportedly stated that Ricin would be used through food served at the cafeteria, disperse it using a flying drone or even on the toilet seat or the toilet paper etc”

The sender has also reportedly claimed that he has isolated 1 kg of high-quality Ricin and would be sending 2 grams in envelopes to one of Wipro’s offices in the city in the coming days to prove that he was not bluffing. He has also cautioned the firm to be careful while dealing with his ‘sample dose’.

The email according to the report also contained the link to a news item about the mysterious death of 22 stray dogs at Baranagar in Kolkata, uploaded on the portal of a leading English news daily. The incident occurred on January 21 in Baranagar locality where the carcasses of 22 dogs were found on the road near a construction site. The sender claimed that he had isolated a high-quality, beta strain of the toxin and had tested it on those dogs.

Now it is reported that a case has been registered by Bangalore Police under as a “Cyber Terrorism” (Section 66F of ITA 2000/8).The threat to use  a Drone to sprinkle RICIN is interesting as it amounts to use of a “Cyber Tool” to intrude into  WIPRO territory without authorization. Additionally, the threat will also be considered as a “Terrorist Act committed with the use of electronic documents” under other Acts. However there is a need to ensure that the Police donot stop serious action after the registration of the complaint.

Considering the complexity of the investigations, there is a need to declare a “Serious Terror Threat Alert” across Bangalore, and a massive effort to be launched to identify the root of this e-mail threat.

In my opinion, the threat is serious enough to call the NIA and also invoke international cooperation forthwith.

It is recognized that the e-mail is a “Terror Threat” and those who have sent the e-mail and all their accomplices would face a “Life Imprisonment”. If even one person dies from RICIN poison, then the sender of the e-mail and all his accomplices would face “Death penalty”.

In this context, there are several initiatives that the Bangalore Police need to take, some of which I try to list here.

  1. Police should first declare the implication of the case being registered as a terrorist act through a public notice in all TV channels and Press. It should be made clear in this notice that the e-mail threat is being considered as a “Terror Threat” and the perpetrators face the prospect of “Life Imprisonment” and “Death Penalty”.
  2. Police should also make it clear that any person who has information leading to the detection of the sender of the e-mail would be rewarded if he comes up with the information and shares it with the Police.
  3. Police should also make it clear that those who may have information about the sender of the e-mail and does not share it with the Police voluntarily will be considered as “Co-Conspirators”, “Preventing Law Enforcement from catching terrorists” and would be considered as guilty of the same offence which has “Life Imprisonment” and “Death Penalty” as possible punishments.
  4. Police should also make it clear that “Persons who may have information about the sender of the e-mail” could be his friends, colleagues, family members and even the several service providers involved in sending of the e-mail which could include Protonmail.com since the e-mail is said to have been sent from an address “Ramesh2@protonmail.com”
  5. It is possible that the sender of the e-mail could be an “Insider” and there is a reasonable probability that the threat might have come from one of the frustrated dismissed employee or any of the current employees who is disgruntled in some way.
  6. It is possible that it is only to create panic and the threat may not be executed.
  7. If the perpetrators are only disgruntled employees and not hard core terrorists, Police clarification that this is a “Cyber Terrorism” may make them realize the enormity of the problem that they have unleashed on themselves.(May be by ignorance)
  8. If the Police promise that any person who voluntarily gives himself up may be considered as “Not having the malicious intention to carry out the threat”, and therefore charges under Cyber Terrorism would not be pressed, perhaps the persons who have committed the offence or any of their friends and family members who wish that the person would at least not be tried for a “Life Imprisonment” or “Death Sentence” even if they have to face the charge for a financial crime involving “Extortion Threat”, may be willing to surrender with information.

If the above strategy fails to make the sender of the e-mail come out within the next 24 hours, we should escalate the issue from local police to NIA and treat is as a national emergency.

The CERT-In should also walk in today voluntarily to assist WIPRO information security team, the local Police team as well as the NIA and help forming a multi disciplinary “Crisis Management Team”.

If the matter is left to the Police alone, there is a possibility that the investigation would drift. There will also be inter agency rivalry and other issues that may interfere in quick resolution of the problem. Country cannot afford any such inefficiencies to affect this investigation.

Some of the actions that need to be taken in the context of this threat could be…

  1. We should recognize that though the threat has now been made to WIPRO as a financial ransom call,  this could be used by a terror organziation (Such as ISIS) without a financial motive to cause indiscriminate loss of life.
  2. If so, this threat to WIPRO could be a diversion and the real attack may come elsewhere..could be another IT company, another industry or a five star hotel or any other large congregation of people.
  3.  Action should be initiated to ensure that any such organization of large gatherings where there would be central food distribution is aware of the threat.
  4. Advisory should be selectively issued to all organizations managing centralized kitchens serving food to a large number of persons. The food managers of these establishments have to be called for an awareness briefing and security hardened across the State.
  5. The medical community in Bangalore and hopefully across the State should be alerted about the “Symptoms” and “Response to a suspected RICIN poisoning case”. It is generally understood that if a lethal dose of RICIN is ingested either through food or through air or skin, there is no antidote. However according to some medical advisory, an immediate attempt to remove the poison from the body could help. (Refer here for more details)
  6. We should be alert to other forms of RICIN attacks through letters etc which have been reported earlier in USA (Refer article in slate.com)
  7. India should immediately make a firm declaration that “Bitcoin” is a “commodity” that is banned in India and anyone who is in possession thereof must surrender it to the Government for exchange or face criminal action for possessing a “Banned Tool of Crime”.
  8. Police should alert all Castor oil processors to account for waste disposal and also identify if any large stock of Castor Oil waste having been bought by any person and if so whether such purchase is linked to this threat. (Or could in future become another threat unconnected with this).
  9. There is a report that antidote has been developed by UK and US Military though they might not have been tested on humans properly. Indian Government should get in touch with these authorities and invite them to join the disaster management team with some stock of sample antidotes so that they can be used if necessary.
  10. There are many leads that the reported incident provides from which it should be possible to identify the sender of the e-mail even if he has used a proxy server. These cannot be discussed in a public forum. Also the Police investigators are much more intelligent than what observers like us can ever be and they should be already on their job. The only thing required is to give them a free hand in the investigation.
  11. I therefore reiterate that giving assistance to Cyber Police of Bangalore in all manner is the prime responsibility of any citizen of Bangalore who is alarmed by the threat.

There could be many other angles that need to be explored. But the key evidence lies with WIPRO which is reportedly is “Tightlipped” about the incident. While being “tightlipped” with the media is fine, WIPRO should voluntarily invite CERT IN and NIA to join the probe immediately and share the evidence available with it. It should be ensured that no evidence is destroyed during the internal investigation either by mistake or deliberately.

It would help the investigation if all available resources national and international are gathered for effective investigation. I call upon the PMO to advise the necessary agencies to set up a “Serious Cyber Incident Management Team” and proceed for investigation.

As regards trying to persuade the offenders to surrender, even if the Police fail to issue their own public notification as I have suggested,

this article published on the internet is a public notice. Hence any person having a knowledge of the crime should consider themselves notified that they would be considered accomplices of the terrorist act if they donot immediately disclose information within their knowledge to the appropriate authority.

This is also a friendly advise to the person who has sent the e-mail and his friends and relatives, that if any of them come out voluntarily and disclose useful information, and/or surrender, the charges on “Cyber Terrorism” may either be dropped or may not easily sustain in further trials and they will face a lesser charge and lesser punishment than life imprisonment  or death penalty.

In particular, I request the family members and friends of the sender of the e-mail to either persuade him/her to surrender or voluntarily disclose his identity for his/her own good. If they have any difficulty contacting the Cyber Crime Police of Bangalore for this purpose, they are welcome to contact me for guidance.

Hope this incident will not materialize in all its ugly manifestations that it threatens. But there should be no complacency either by WIPRO, CERT IN or other establishments including the State and Central Governments.

I am forwarding a copy of this article to the new CERT IN Director General and hope he would swing into action before the end of the  day if he has not already done.

Naavi

Also Refer:

Regarding the stray dogs killed

Beware of Cyber Stone Pelters


Update: 8th May 2017

The complaint has now been transferred from the Cyber Crime Police Station to Bellandur Police Station and the investigation is likely to continue as a terror threat in the physical space. It is likely to be treated as one of the many e-mail threats that float around.

The charges under Section 66F are likely to be replaced with Section 66C/66D along with sections from IPC and Unlawful Activities Prevention Act. There is no indication at present of the incident being treated seriously and hence no NIA angle is likely to be there.

Let’s hope that the threat remains a prank and does not escalate.


 Update: 11th May 2017

Also see report in ISMG


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.