Emails and passwords of hundreds of Union government officials have been exposed to hackers due to the recent data breaches of Air India, Domino’s and Big Basket, the government has warned officials
The internal communication, accessed by The Hindu, said the compromised emails on government domains such as @nic.in and @gov.in are potential cyber threats as they are being used by “adversaries” to send malicious mails to all government users.
Days after the alert was sent on June 10, several government offices, including Defence Ministry officials, were targeted by a malicious web link sent on WhatsApp and SMS, asking them to update their vaccination status.
The message asked officials to click on https://covid19india.in to generate a digital certificate of COVID-19 inoculation, redirecting them to a page “@gov.in” that resembles the government website mygov.in, and asked for the official e-mail and password.
According to Rajshekhar Rajaharia, cyber researcher, the website was hosted in Pakistan in June. “The page mentioned @nic.in email IDs to make the official believe it is a government page. The purpose seemed to be getting the e-mails and passwords of only government officials and get unauthorised access to government systems, the page does not accept any other domain such as gmail.com,” said Mr. Rajaharia.
Air India informed passengers on May 15 that its passenger service system, provided by multi-national IT company SITA, was subjected to a sophisticated cyber attack in the last week of February which affected around 45 lakh “data subjects” in the world registered between August 26, 2011 and February 3, 2021. Government officials are frequent Air India flyers.
The alert sent to officials said, “It is intimated that recent data breaches of Air India and other companies like Domino’s, Big Basket etc. have resulted in exposure of e-mail ID and passwords of many users, which includes lots of government email IDs as well. All such compromised gov. domain emails are potential cyber threats as they are being used by the adversaries to send out malicious mails to all gov email users. It may please be noted that largely these are name based email IDs which are available with the malicious actors.”
It added that the malicious actors try to attack the government officials through various means such as phishing where attackers send e-mails to officials and make them click on such attachment or web-link and provide permission. “Either their systems will get infected/compromised or e-mail credentials will be captured by C&C (command and control) server under control of adversaries… Emails coming from any such random user of .gov domain, on any subject line, asking to click on a link or download an attachment are to be considered as malicious and to be ignored and to be deleted. Users are advised to change the password of their e-mail ID which is registered with Air-India, Dominos etc,” the alert mentioned.
A government official said while such phishing attempts were common, in the past one year it has intensified. The Union Power Ministry on March 1 said “State-sponsored” Chinese hacker groups had targeted various Indian power centres. U.S. cyber security and intelligence firm, Recorded Future, discovered that Chinese state-sponsored actors may have deployed malware into Indian power grids and seaports after border tensions between India-China began escalating in May last.
The National Informatics Centre (NIC) under the IT Ministry provides web hosting services to various ministries and department through nic.in and gov.in domains.
The alert said that it was observed that compromised e-mail IDs of NIC mail are being used to target Government of India officials. It said common users were not able to identify these phishing attacks as they originated from e-mail IDs of NIC domain and as a result, “they fall prey to such attacks and click on malicious attachments/ web links.”
The Air India breach involved details like name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data but no passwords or CVV/CVC numbers were affected.
The airline has said that it is “in liaison with various regulatory agencies in India and abroad, and has apprised them about the incident in accordance with its obligations”.
In response to a query from The Hindu on whether it was contacted by Indian cyber security agencies, SITA replied, “SITA has been engaged with and [is] assisting law enforcement agencies in a number of jurisdictions with their investigations into the incident. SITA has also communicated and cooperated with cyber-security and data protection regulators in a number of jurisdictions. We were not approached by the Indian Defence Cyber Agency (DCA)…” The DCA was recently set up under the Integrated Defence Staff to probe cyber security threats.
Mishi Chowdhury of Software Freedom Law Centre, a digital rights group, “personal information can be used for identity theft, more phishing attempts and account takeover.”
She added that with work from home policies, the urgency of training and data security is crucial.
In May, it was revealed that data of 18 crore customers of the pizza vendor, Domino’s India, was compromised and sold on the dark net. Domino’s counsel informed the Delhi High Court earlier this month that hackers illegally accessed the data from the company’s secure computer resource and hosted it on the Internet. The details included phone numbers and location details among others.
In April, the personal data of 2 crore customers of online grocer BigBasket was put for sale on the dark web by hackers.