How Significant Was Breach of 6,000 Indian Enterprises?Analysis: While NIXI Downplays Impact, Others Raise Important Questions
Researchers claim to have discovered information from the servers of 6,000 Indian enterprises, including governmental units, for sale on the dark net. But while the National Internet Exchange of India, the apparent source of the information, is attempting to downplay the incident, others are demanding a clear explanation of just what happened.
See Also: Threat Intelligence - Hype or Hope?
Seqrite Cyber Intelligence Lab, the enterprise arm of security firm Quick Heal, came across an advertisement on the dark net offering for sale data from over 6,000 Indian businesses, including government organizations, internet service providers, banks and enterprises. It says the data apparently was obtained from the Indian Registry for Internet Names and Numbers, or IRNN, which comes under the National Internet Exchange of India.
IRINN provides allocation and registration services of IP addresses to businesses and internet service providers. NIXI is a national governmental non-profit which acts as a routing service for domestic Internet traffic.
IRINN confirms in a statement provided to Information Security Media Group that it was hacked, but it downplays the seriousness of the attack, saying the information stolen was not significant and the intrusion was limited.
"NIXI hereby clarifies that there has been no serious security breach of its IRINN system, as it has a robust security protocol in place. The hacker has no capacity to cause any damage or initiate distributed denial-of-service to any entity who has been allocated Internet resources through IRINN System," according to the statement from NIXI.
"There was an attempt to penetrate the system, and the hacker was able to collect some basic profile information of the contact persons of some of the affiliates which was displayed by him on the dark net," the statement continues. "The existing security protocol of NIXI is robust and capable in countering such attacks. However, following this breach, security protocol has been further strengthened and review of existing infrastructure has also been initiated."
NIXI claims that "our system is secured and our security protocol in practice is capable of handling such attacks. The claim by the actor of dark net is audacious and far from truth."
Some security practitioners, however, say that because the data of so many Indian organizations resides with NIXI, a breach, even if it's relatively small, should be taken seriously.
"How can an organization that allots IPs to the major service providers be so easily vulnerable to an attacker? How come the data was not anonymized?" asks Ritesh Bhatia, cybersecurity consultant at V4Web Cyber Security, a cybersecurity consultancy firm.
"The country's internet infrastructure could have come to a standstill. NIXI and IRNN owe an explanation as to how it happened. And the government needs to ensure that the other such organizations are not following similar security practices."
Among the likely affected government organizations are UIDAI, Defense Research and Development Organization, RBI and Indian Space Research Organization, Rohit Srivastwa, senior director, cyber education and services at Quick Heal Technologies, tells Information Security Media Group.
UIDAI, however, issued a statement saying the "reported breach does not contain any confidential data of UIDAI and has not affected any services provided by the authority." UIDAI is a statutory authority collecting and maintaining the world's largest biometric ID system.
But in a blog, Seqrite asserts: "We believe this compromise could have serious implications for the affected organizations. The forum post suggests that the actor has the username, passwords, emails, organization names, invoices and billing documents, among other documents."
Discovering the Data Leak
The team at Seqrite started an investigation once it noticed an advertisement on the dark web about selling vital information about Indian companies, according to the company's blog.
"The team then contacted the actor [who posted the advertisement] for further details, posing as an interested buyer. Initially, the actor was not willing to disclose the name of affected Internet Registry, however, later agreed to share a small sample of email list from the allegedly compromised database," reads the blog.
In the sample, the investigators from Seqrite noticed the email address of a prominent Indian technology firm and another from Indian government, according to the blog. At this point, the investigators suspected an attack on IRINN.
"On further probing, the actor agreed to share screenshots, which confirmed our suspicion that the compromise/breach is, unfortunately true and IRINN is the affected organization," the blog says. "If there was a buyer, then the attack on the system could have disrupted the complete Internet in India."
Prashant Pandey, founder and chief knowledge officer at Kratikal Tech, offers a theory on how the breach occurred. "It is a logical conjecture that the attacker used the same vulnerability in Apache Struts as was exploited using the Equifax hack, he says. "Simply put, arbitrary booby-trapped Java codes can be passed as XML objects to the Struts, resulting in unprecedented responses. This might have resulted in data breach. Still, this is the best guess."
Impact of the Beach
Bhatia of V4Web Cyber Security claims that "this attack had the potential to disrupt the internet connectivity of the nation. I hope NIXI takes a serious look at its network security."
Similarly, Rakesh Goyal, director-general, Centre for Research and Prevention of Computer Crimes, believes the hack should not be taken lightly.
"If the hackers can change the IP allocation pool, then [an affected] website will not be available," he notes. "If user credentials are available for sale, then a site can be hijacked, the owner can be changed, the site can be deleted, and so on. It all depends on what type of information is compromised and available for sale."
The hackers likely could at least use the basic information they stole to launch phishing campaigns, sending fake, but genuine-looking emails, says Rohan Vibhandik, scientist, cyber intelligence research center at ABB, Swedish-Swiss multinational corporation operating mainly in robotics, power, heavy electrical equipment, and automation technology areas. "This [phishing] can be used to introduce bots for ransomware attacks or remote session control scripts to be run on victim's machine," he says. "Though the revealed information is not that critical, it can be misused in several social engineering attacks, which are more brutal than direct infrastructure attacks as they are hard to identify and mitigate."
In an event of a breach, the law says that CERT-In must be immediately informed. Also, practitioners encourage engaging with the law enforcement authority. In this case, however, NIXI apparently didn't inform the cyber police.
Balsing Rajput, superintendent of Maharashtra cyber police, says: "We have come to know about the incident from the media. We have contacted Quick Heal for further details on what kind of information has been leaked. We are awaiting the detail.
"Since NIXI hasn't contacted us so far, we will reach out to them as well. At this point in time, I can't comment further as we are investigating the case. Having said that, things often get exaggerated in the media."