Nepal has witnessed an exponential 340 per cent annual growth in publicly reported hacking incidents against private and public sector digital infrastructure, according to police statistics. This surging epidemic of intrusions has been enabled by untreated flaws permeating networks and deficiencies around oversight, allowing websites and databases to be easily penetrated by even novice hackers.
The vectors for such website breaches predominantly include SQL injection attacks and distributed denial of service (DDoS) salvos – together underlying over 85 per cent of documented cybercrime cases with technical evidence and attack forensics.
As compared to Server Loss, SQL injection is one of the critical vulnerabilities which lead to taking over the database of the server, SQL injection has emerged as the most dominant hacking attack vector currently enabling intrusions against Nepali websites.
Cyber attacks in Nepal
Accounting for over 65 per cent of reported cyber attacks with technical evidence, this technique allows malicious actors to penetrate databases and applications to steal, delete or ransom sensitive information. Structured Query Language (SQL) injections work by inserting adversarial code snippets into application input fields like search bars or login forms on websites. If the user input is not properly sanitised, these commands get interpreted by the backend database to execute arbitrary operations instead of benign functions.
In Nepal, Boolean-based SQL injection has become particularly widespread to compromise websites. This method evades detection by returning TRUE or FALSE conditions after inserting malicious query statements. Hackers typically use automated tools with inbuilt exploits that cycle through inserting different Boolean payloads into a target site’s inputs.
Once a vulnerable parameter returning True is discovered, expanding Boolean strings then extract and dump database contents. With sites often lacking encryption or access controls between applications and underlying data stores, entire member directories, financial records and more become easily retrievable.
Other complex SQL injection variants like time-based, error-based or UNION attacks allow more destructive actions like shutting down servers, administering remote commands, or escalating privileged access. However, the prevalent Boolean technique alone allows sufficient monetization of personal information for Nepal’s cyber underground.
Distributed denial of service (DDoS) attacks constitute another prime digital weapon used to target Nepali organizations, underlying 1 in 5 known cyber intrusions. DDoS aims to sabotage the availability of online services by flooding bandwidth capacity with high volumes of bogus traffic, causing temporary but highly disruptive outages.
The resources required to execute even a 15-30 minute DDoS attack capable of downing most Nepali websites are minimal for hackers. Botnets composed of tens of thousands of hijacked Internet of Things devices can be rented for less than USD 20 per hour on shadowy cybercrime-as-a-service platforms.
From script kiddies to political hacktivist groups, all can easily sponsor DDoS campaigns creating digital chaos and erosion of public confidence. The outsized impact results from systemic constraints around website infrastructure locally. A majority of private and public sector sites in Nepal operate on shared hosting servers with limited inbuilt load balancing, catching and attack mitigation capabilities.
When targeted, these servers choke rapidly succumbing to even 5 Gbps DDoS barrages achievable on hacker budget rates. With the National IT Center consolidating hosting for government sites on centralised infrastructure, attacks pose overcapacity risks for even .gov.np domain stability beyond just the targeted agency.
The challenges and ways to overcome
While Cloudflare DDoS protections are enabled, misconfigurations and the use of outdated CMS tools still enable bypassing the proxy shields to hit origin servers despite the measures. Beyond infrastructure deficiencies, gaps around incident response and organizational accountability also fuel problems. Website owners deprioritize cybersecurity, while regulators lack mandates enforcing resilience standards. Breaches hence occur absent monitoring, with lengthy outages eroding citizen experience and amplifying damage through negligence.
In conclusion, safeguarding the privacy and security of both private and public data is paramount for the well-being and progress of Nepal. As technology becomes increasingly integrated into our daily lives, the government must prioritise the protection of data by addressing OWASP (Open Web Application Security Project) level vulnerabilities.
By doing so, Nepal can fortify its digital infrastructure against potential threats, ensuring the confidentiality, integrity, and availability of sensitive information. A robust and proactive approach to cybersecurity is essential to safeguarding the interests of individuals, businesses, and the nation as a whole.
The government should invest in comprehensive cybersecurity measures, including regular assessments and updates to identify and mitigate OWASP vulnerabilities. Collaborative efforts between government agencies, private sector entities, and cybersecurity experts can enhance the effectiveness of these initiatives.
By emphasising data protection, the government not only fosters a secure digital environment but also builds trust among citizens and stakeholders. A resilient cybersecurity framework not only protects against potential breaches but also facilitates the sustainable growth of the digital economy. As Nepal progresses in the digital age, a commitment to securing data from OWASP vulnerabilities will contribute significantly to the country’s overall resilience and prosperity.
