ISRO, MEA, Nuclear Scientists Among 3,000 Breached Govt Email IDs

At least 3,000 government email IDs with the ‘gov.in’ extension have been found to be compromised and their passwords available in plain text across multiple databases of leaked emails on the deep web and dark web, The Quint has learnt.

At least twenty government entities including Bhabha Atomic Research Centre (BARC), Indian Space Research Organisation (ISRO), Ministry of External Affairs, Ministry of Corporate affairs, Atomic Energy Regulatory Board (AERB), Securities and Exchanges Board of India (SEBI) are among a variety of ministries, departments and statutory bodies that feature in the list of organisations whose officials have had their mail IDs compromised.

Senior officials whose emails appear to be have been compromised include former and current ambassadors, serving and retired scientists in ISRO and senior bureaucrats across state governments and autonomous bodies.

It is not clear yet if any information from the IDs was accessed by outsiders or whether any information was stolen from the email contents. The revelation, however, raises serious issues:

• Senior government officials, especially scientists working in nuclear technology and research being targeted specifically through possible phishing mails.
• Government bodies and senior officials ignoring basic best practices to ensure security of digital infrastructure.

The Quint had confirmed in November that North Korea-based hackers had stolen information from a cyber attack on Kudankulam Nuclear Power Plant on 3 September. In this context, a look at the list of affected bodies reveals research centres and institutions working on nuclear energy to be the worst affected.

Who Has Been Affected?

According to the ‘E-Mail Policy of The Government of India’ published in 2014, the ‘gov.in’ emails are provided only to government officials under ministries, departments, statutory bodies, autonomous bodies of central and state/UT governments.

Sai Krishna Kothapalli, an alumni of IIT Guwahati who founded Hackrew, a cyber security startup based out of Hyderabad that has been researching data breaches, said the list of over 3,000 government IDs comprise at least twenty different entities.

How the Breached Email IDs Were Detected

The last five years have seen a sharp increase in data breaches. What that means is that hackers have breached data-rich websites like Linkedin, Zomato, Shaadi.com and personal data like email IDs, passwords, phone numbers, credit card details from these leaks ended up on some deep web forums for sale.

Ransomware refers to a malicious software attack which locks an individual’s access to his or her data or device until a ransom is paid.

Phishing is similar, except the malware is intended to infect the target’s device. This could be done to either damage the target’s computer files or extract sensitive information such as usernames, passwords, credit card information from it.

“What we have right now is a culmination of several such breaches that happened in the last seven years, obtained through various channels like some from deep web forums, IRCs, some from other dark web websites,” said Kothapalli.

Very Weak Passwords

This revelation yet again exposes a number of worrying patterns that India has gained notoriety for. Following are the points that reveal a larger pattern:

Among the most concerning discoveries made by Kothapalli upon accessing the database was the sheer weakness of passwords that appeared alongside the gov.in emails.

While The Quint has accessed the list of gov.in email IDs, it has neither seen nor can independently verify the passwords. However, a check of the mails on the website haveibeenpwned.com reveal all the IDs to have been breached on multiple databases. Some IDs were found to have been breached across five to six sites, according to haveibeenpwned.

How exactly are these passwords available though?

"The passwords are available in plain text. That means if an attacker gets access to them, they would be able to login to your email account and other accounts if you are using the same password. This is also known as credential stuffing attack,” he added.

Targeted Attacks on Scientists?

Perhaps the “scariest aspect” of the breach, according to Kothapalli, is the discovery that many credentials were not part of mass breaches of targeted websites. Hence, they did not feature as part of mass dumps of compromised IDs and passwords.

“Right now, we have close to 1.85 billion credentials. Some of these came from breaches from other websites while others came from some secret lists which got leaked from various sources,” said Kothapalli.

These secret lists were not a result of a breach in other websites which leaves the possibility that those users must have been targeted in a different way, like phishing etc, he further added.

Atomic Energy Regulatory Board and Raja Ramanna Centre For Advanced Technology under Dept Of Atomic Energy are also among the breached organisations.

Why is this assertion particularly alarming?

On 6 November, in an exclusive report, The Quint had reported that the cyber attack by suspected North Korea-based hackers on the Kudankulam Nuclear Power Plant in September was intended specifically for information theft and learnt from highly reliable sources that the actors were able to steal technology-related data from the plant’s IT systems.

Among the key claims made by IssueMake Labs, a not-for-profit organisation of South Korean cyber security experts, is that the possible reason behind the attack was to obtain information about thorium-based nuclear power.

The cyber attackers had sent phishing emails with malicious links to many senior nuclear scientists, including former BARC director, Anil Kakodkar, according to IssueMakers Labs.

Moreover, The Quint could confirm on 8 November that the same North Korean actors had also targeted ISRO’s senior scientists as well with phishing emails.

Yash Kadakia, founder of Security Bridge, a Mumbai-based cybersecurity company, told The Quint that he can confirm that the same server that was used to send phishing mails to senior nuclear scientists associated with the Kudankulam Plant was used to send similar emails to an ISRO scientist and other officials on various boards of the space agency.