Introduction

seQtree is led by a team of experts with years of industry experience who regularly monitor the Darknet space for potential threat activities.

Recently our researchers tracked a broadcast advertisement on an IM platform where an underground actor had advertised access to the servers and database dump of an unspecified Internet Registry.  Following a detailed research and engagement with the threat actor, our team identified the affected organization as IRINN (Indian Registry for Internet Names and Numbers). The information was corroborated by evidences shared. The affected organizations were duly notified with the help of our partner Seqrite.

Details

Here is the detailed sequence of events related to this compromise:

  • Upon noticing the broadcast advertisement, our researchers started gathering background information on the actor.
  • Our researchers observed that the actor’s profile was created recently, which is an ongoing trend that we have noticed with recent data breaches.
  • After convincing the actor for further details, posing as an interested buyer, we received a small sample of email list from the allegedly compromised database.
  • The sample contained email addresses of a prominent Indian technology firm and Indian government.
  • Upon further probing, the actor shared a text file containing a list of over 6000 email addresses, which helped us understand the widespread impact this breach may lead to.
  • At this point, the team first thought the possibility of the affected organization being India’s National Internet Registry: IRINN (Indian Registry for Internet Names and Numbers).
  • To confirm our suspicion, we probed the actor for more information. The actor shared screenshots which confirmed that IRINN is the affected organization.
  • Furthermore, the actor gave a hint about posting advertisements on Darknet forum(s)/marketplace(s).

Following are some of the affected organizations:

Indian Government Telecom/ ISPs Financial Orgs Technology Firms
UIDAI (Aadhar) Idea Telecom Bombay Stock Exchange (BSE) Flipkart

 

DRDO Aircel Mastercard / Visa Ernst & Young (E&Y)
Reserve Bank of India BSNL SBI TCS
ISRO You Broadband HDFC Wipro
ISRO Satellite Centre (ISAC) Spectranet ICICI Prudential Mutual Fund VMWare
Employees’ Provident Fund Organisation Hathway BNY Mellon eClerx
Various Indian state government portals (e.g. Maharashtra Online, MP Online) Sify IDBI Bank Zoho
Vikram Sarabhai Space Centre Tikona Federal Bank
National Centre for Antarctic and Ocean Research Royal Bank of Scotland
Edelweiss Tokio
Dena Bank
IDFC Bank
Canara Bank

Screenshots

Some of the censored screenshots (we have blurred the PII) are attached below

5Screenshot 1

4Screenshot 2

3Screenshot 3

Assessment

  1. The actor has database related to IRINN, as well as some database related to APNIC (“apnicdb” in screenshot 1).
  2. The price set by actor for the database was 15 BTC (approx. 60000 USD in present rate).
  3. The actor can access customer portal on IRINN’s website. This indicates that along with email addresses, the actor may also have access to passwords (as visible in screenshot 2 and 3).
  4. The actor can possibly control IP/ASN allocation/de-allocation for various organizations (as visible in screenshot 2).
  5. The actor may have access to sensitive documents and Personally Identifiable Information (PII) of IRINN users (as visible in screenshot 3).

Latest Update (28th September 2017):

We observed a post which provides clear indication that actor has started advertising on Darknet forums as well, screenshot below:

2

In the post, the actor has asked for 15BTC in exchange of the IRINN’s database.

Conclusion

Assessing from the screenshots and email addresses, we believe this breach could have serious implications for affected organizations.

The forum post suggests that the actor has the Username, Passwords, Emails, Organization names, Invoices and Billing documents, etc. among other documents.

The actor may be able to de-allocate/delete IP/ASN, therefore, causing outage and Denial-of-service for the users and organizations.

seQtree urges all customers of IRINN to change their portal passwords. In cases where customers use the same password elsewhere, this might lead to compromise of those accounts/services as well.

Action

seQtree has been working closely with Seqrite for various research initiatives. Seqrite has been instrumental in communicating with various agencies to ensure that the issue has been addressed at the highest level. We have notified appropriate agencies in the government and have got an acknowledgement that the issue has been taken care of.

Hopefully this will not lead to any disruption. Proactive monitoring and reporting in any such case can always avert major damages.