The Federal Board of Revenue (FBR), which is a Federal Law Enforcement Agency, is the prime entity responsible for collecting taxes worth trillions of Rupees and is labeled as the largest data centre of Pakistan. On 14th August 2021, citizens who tried to access FBR’s official website were greeted with a message stating: “The FBR’s website is temporarily down for scheduled maintenance”.
FBR, further explained that their technical team is currently migrating services and due to unforeseen anomalies in the migration process, the institution’s services are unavailable. The truth, however, was uncovered when an FBR official stated “It is cyber terrorism on our Independence Day”, revealing that the FBR had fallen victim to a cyberattack which created a National crisis-like situation as the country’s transactions had started getting affected due to the shutdown of all FBR websites and data centers.
Attack vectors
The lack of Digital Logicality in Pakistan can be observed from the fact that there is no clarity on how the hackers managed to break into the FBR’s cyberspace. At this moment in time, there are three different versions of the Modus Operandi of this ambush. The first one is cited by FBR’s technical wing which states that the hackers invaded the system by exploiting the weakest link, which was the Hyper-V software by Microsoft Inc.
The second version states that the hackers disrupted the system by hacking the login ids and passwords of the data center administrators. Another report, which happens to be the third version, was prepared by private and government cybersecurity experts and stated that the hackers used Spear-phishing emails as the medium for this breach.
Read more: Is Pakistan’s cyber security strong enough to protect the country?
In this report, Umair Ali Zafar, Principal Security Engineer at Ebryx, explained that hackers sent emails containing malicious documents in the attachments to FBR officials. These emails appeared as if they came from valid email addresses like the Government of Pakistan, the Ministry of IT and Telecom, but they were actually spoofed.
The documents were composed to gain the interest of the receiver, but when opened, infected the system. All in all, incertitude over the attack vector has not yet been clarified by either the FBR or the Government of Pakistan.
Consequences
HackRead, which is a news platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and hacking news reported that the confidential data of taxpayers was stolen in this breach. Furthermore, HackRead claimed that FBR’s data was put on sale on a Russian Forum for $30,000. Evidence provided by HackRead:
However, the Finance Minister of Pakistan Shaukat Tarin denied all the claims saying that the hackers were not able to access any data and that none of FBR’s data was sold on the dark web or any Russian Forum. He further stated that the only impact of this cyberattack was that all official websites were brought down for 72 hours.
Read more: An overview of Pakistan’s cyber security policies
According to a widespread notion, the Finance Minister denied HackRead’s claims to conceal the critical extent of the damage. The dilemma regarding the authenticity of the claims made by the Finance Minister prevails to date.
Poor defense or strong offense?
Numerous factors have come to light that unveils that this cyberattack is a result of poor defense and sheer incompetency. For starters, the former Chief US diplomat for South Asian Affairs, Alice Wells, during her visit to Pakistan accused FBR of using a pirated version of Microsoft Hyper-V software and warned that FBR might become a target of cybercrime due to the use of a pirated software.
The FBR, however, put the entire responsibility on its service provider, Pakistan Revenue Automation (PRAL) and did not change its pirated software. Furthermore, In June 2019, the World Bank issued a report which stated: “ICT hardware used by the FBR has already reached its end-of-life, resulting in risks of critical system failure and disruption of operations”. It also approved an $80 Million loan to FBR for its IT up-gradation.
However, most of the amount was not spent on the desired purpose rather it was spent on paying bonuses to FBR employees and other unproductive activities. Another factor that contributes to the poor defense of the cyberspace of FBR is the appointment of non-professional people based on favoritism. These employees instead of focusing on their roles, stay occupied in organizational politics.
Read more: FBR’s Track & Trace system crucial to check mass tax evasion: PM Khan
Most importantly, sources revealed that Pakistan’s Premier Spy Agency had warned FBR that hackers were making attempts to break the data rooms for the last few days and that a serious cyberattack might take place soon. Keeping in mind these utterly ridiculous vulnerabilities, a cyberattack was inevitable.
Way forward
“Third-party view would be taken before any action”, is what Finance Minister Shaukat Tarin said when he was asked about the measures being taken in response to the cyberattack. This, to the mainstream media, appeared as another futile statement meant to draw away attention from the cyberattack and its repercussions.
However, recently, the Government revealed that it is taking the services of an Irish company along with Tania Aidrus who is an Ex-Google Executive currently working to digitize Pakistan, to scrutinize FBR’s Data Centre. Moreover, the Minister told the press that during his tenure, he would not allow the usage of pirated software and would ensure security protocols, which was a very embarrassing statement since the damage had already been done.
Read more: Robotic kill: coming soon to an autonomous battlefield
However, it is possible that this cyber attack had finally triggered Pakistan’s authorities and they are actually making efforts to enhance their virtual environment’s security. It is high time that Pakistan realizes that its IT departments need a major overhaul and not just cosmetic changes.
The Government’s digitization push must be backed by efficient, diligent, highly qualified, competent staff at all levels, effective cybersecurity precautions and strict audits. Failing this, every step towards digitization will turn out to be a nightmare.
Fatima Zainab is a student of BS Strategic and Nuclear Studies at National Defence University. She is an IBM Certified Cyber-security Analyst. She is currently serving YFK- International Kashmir Lobby Group as a Political Lobbyist and is closely associated with Youth Parliament of Pakistan. The views expressed in the article are the author’s own and do not necessarily reflect the editorial policy of Global Village Space.