At least 3,000 government email IDs with the ‘gov.in’ extension have been found to be compromised and their passwords available in plain text across multiple databases of leaked emails on the deep web and dark web, The Quint has learnt.
At least twenty government entities including Bhabha Atomic Research Centre (BARC), Indian Space Research Organisation (ISRO), Ministry of External Affairs, Ministry of Corporate affairs, Atomic Energy Regulatory Board (AERB), Securities and Exchanges Board of India (SEBI) are among a variety of ministries, departments and statutory bodies that feature in the list of organisations whose officials have had their mail IDs compromised.
Senior officials whose emails appear to be have been compromised include former and current ambassadors, serving and retired scientists in ISRO and senior bureaucrats across state governments and autonomous bodies.
According to independent cyber security researchers who have accessed the databases, a telling pattern among the compromised IDs is the weakness of the passwords.
It is not clear yet if any information from the IDs was accessed by outsiders or whether any information was stolen from the email contents. The revelation, however, raises serious issues:
- Senior government officials, especially scientists working in nuclear technology and research being targeted specifically through possible phishing mails.
- Government bodies and senior officials ignoring basic best practices to ensure security of digital infrastructure.
The Quint had confirmed in November that North Korea-based hackers had stolen information from a cyber attack on Kudankulam Nuclear Power Plant on 3 September. In this context, a look at the list of affected bodies reveals research centres and institutions working on nuclear energy to be the worst affected.
Who Has Been Affected?
According to the ‘E-Mail Policy of The Government of India’ published in 2014, the ‘gov.in’ emails are provided only to government officials under ministries, departments, statutory bodies, autonomous bodies of central and state/UT governments.
Sai Krishna Kothapalli, an alumni of IIT Guwahati who founded Hackrew, a cyber security startup based out of Hyderabad that has been researching data breaches, said the list of over 3,000 government IDs comprise at least twenty different entities.
How the Breached Email IDs Were Detected
The last five years have seen a sharp increase in data breaches. What that means is that hackers have breached data-rich websites like Linkedin, Zomato, Shaadi.com and personal data like email IDs, passwords, phone numbers, credit card details from these leaks ended up on some deep web forums for sale.
India has featured among the countries most targeted and worst affected by ransomware as well as phishing attacks.
Ransomware refers to a malicious software attack which locks an individual’s access to his or her data or device until a ransom is paid.
Phishing is similar, except the malware is intended to infect the target’s device. This could be done to either damage the target’s computer files or extract sensitive information such as usernames, passwords, credit card information from it.
“What we have right now is a culmination of several such breaches that happened in the last seven years, obtained through various channels like some from deep web forums, IRCs, some from other dark web websites,” said Kothapalli.
“Right now, the data is not very public, but if someone is dedicated, and knows their way around the internet, they will find bits and pieces in a couple of days,” Kothapalli added.
Very Weak Passwords
This revelation yet again exposes a number of worrying patterns that India has gained notoriety for. Following are the points that reveal a larger pattern:
Among the most concerning discoveries made by Kothapalli upon accessing the database was the sheer weakness of passwords that appeared alongside the gov.in emails.
A brief analysis of the most commonly used passwords by gov.in email IDs reveals a variety of passwords which have routinely been flagged as easily guessable, commonplace and weak according to the cyber security professional.
While The Quint has accessed the list of gov.in email IDs, it has neither seen nor can independently verify the passwords. However, a check of the mails on the website haveibeenpwned.com reveal all the IDs to have been breached on multiple databases. Some IDs were found to have been breached across five to six sites, according to haveibeenpwned.
According to Kothapalli, who analysed the IDs, hundreds of email IDs had simplistic numeric passwords and commonplace ones that have long been flagged as too weak and prone to being breached.
How exactly are these passwords available though?
"The passwords are available in plain text. That means if an attacker gets access to them, they would be able to login to your email account and other accounts if you are using the same password. This is also known as credential stuffing attack,” he added.
Targeted Attacks on Scientists?
Perhaps the “scariest aspect” of the breach, according to Kothapalli, is the discovery that many credentials were not part of mass breaches of targeted websites. Hence, they did not feature as part of mass dumps of compromised IDs and passwords.
“Right now, we have close to 1.85 billion credentials. Some of these came from breaches from other websites while others came from some secret lists which got leaked from various sources,” said Kothapalli.
These secret lists were not a result of a breach in other websites which leaves the possibility that those users must have been targeted in a different way, like phishing etc, he further added.
Among the worst affected government bodies are those associated with research, development and execution of India’s nuclear program. While the worst affected is Indira Gandhi Centre For Atomic Research, right after it is BARC, followed by ISRO’s Space Application Centre.
Atomic Energy Regulatory Board and Raja Ramanna Centre For Advanced Technology under Dept Of Atomic Energy are also among the breached organisations.
Why is this assertion particularly alarming?
On 6 November, in an exclusive report, The Quint had reported that the cyber attack by suspected North Korea-based hackers on the Kudankulam Nuclear Power Plant in September was intended specifically for information theft and learnt from highly reliable sources that the actors were able to steal technology-related data from the plant’s IT systems.
Among the key claims made by IssueMake Labs, a not-for-profit organisation of South Korean cyber security experts, is that the possible reason behind the attack was to obtain information about thorium-based nuclear power.
The cyber attackers had sent phishing emails with malicious links to many senior nuclear scientists, including former BARC director, Anil Kakodkar, according to IssueMakers Labs.
Moreover, The Quint could confirm on 8 November that the same North Korean actors had also targeted ISRO’s senior scientists as well with phishing emails.
Yash Kadakia, founder of Security Bridge, a Mumbai-based cybersecurity company, told The Quint that he can confirm that the same server that was used to send phishing mails to senior nuclear scientists associated with the Kudankulam Plant was used to send similar emails to an ISRO scientist and other officials on various boards of the space agency.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)