A breach at India’s National Internet Registry has caused the database of some of the most important and high-profile organizations in India including UIDAI (Aadhaar), DRDO, ISRO, Reserve Bank of India, Vikram Sarabhai Space Centre, Bombay Stock Exchange among the 6000 affected to be sold on the DarkNet! This can be a major tool of mass disruption if a state actor gets hands on it.
A breach at IRINN systems could have affected India’s over 6000 ISPs, Government and Private Organisations.
Seqrite’s Cyber Intelligence Labs working closely with Partner, seQtree InfoServices recently tracked a broadcast advertisement on a Darknet platform where an underground actor had advertised access to the servers and database dump of an unspecified Internet Registry. Following a detailed research the team identified the affected organization as India’s National Internet Registry: IRINN (Indian Registry for Internet Names and Numbers) which comes under NIXI (National Internet Exchange of India). The sample screenshots (shared by actor) confirmed that compromise was real.
Has the CIA already stolen India’s #Aadhaar database? https://t.co/hFcALy2Lki #modi
— WikiLeaks (@wikileaks) August 25, 2017
As per the standard protocol, we have contacted the appropriate agencies and sensitized them about the possible breach at IRINN.
Here is the detailed sequence of events related to this compromise:
-Upon noticing the broadcast advertisement, seQtree and Seqrite teams started gathering background research on the actor but did not yield any concrete information.
-But the team didn’t get any relevant data even after conducting deep research and it appeared that this actor’s persona was created recently. This is an ongoing trend that the team has noticed with recent data breaches.
-The team then contacted the actor for further details, posing as an interested buyer. Initially the actor was not willing to disclose the name of affected Internet Registry, however, later he agreed to share a small sample of email list from the allegedly compromised database.
-In the sample, the team noticed email address of a prominent Indian technology firm and another email address was from Indian government. Then the team asked for complete/extensive emails list.
-Eventually, the actor agreed to share a text file containing the emails of users/organizations affected, allegedly from the compromised database(s). The text file contained a list of approx. 6000 emails.
-It was observed some of the most important and high-profile organizations featured in the list. At this point, the team first thought the possibility of the affected organization being India’s National Internet Registry: IRINN (Indian Registry for Internet Names and Numbers) which comes under NIXI.
-To confirm our suspicion, we probed the actor further. The actor agreed to share screenshots which confirmed our suspicion that the compromise/breach is, unfortunately true and IRINN is the affected organization.
-The actor also hinted on the chat that if he doesn’t find any interested buyer, actor will consider posting this on Darknet forum(s)/marketplace(s).
-If he gets an interested buyer, then attack on the system could have disrupted Internet IP allocation and in-turn the complete Internet in India.
This can be a major tool of mass disruption if a state actor gets hands on it.
Below is the list of selective few organizations whose services could have been disrupted and also the sample screenshots to confirm our observation.
Data From UIDAI, ISRO, DRDO, RBI & 6000 Others For Sale On Darknet!
Also read: US NSA Spying On India’s Ballistic Missile Systems & Nuclear Weapons