Researcher says ISRO, IGCAR, BARC, SEBI among organisations hit

An independent security researcher has alerted the National Critical Information Infrastructure Protection Centre, Government of India, that the credentials of the official email accounts of at least 3,000 employees working in sensitive establishments such as the Indira Gandhi Centre for Atomic Research (IGCAR), Bhabha Atomic Research Centre (BARC), Indian Space Research Organisation (ISRO) and Securities and Exchange Board of India (SEBI) among others have been hacked in various data breaches.

Sai Krishna Kothapalli, Founder, Hackrew, did an analysis of data leaks from several services spanning the last six years and compiled a dossier of the leaked credentials from various websites in the “dark web” among other resources. This data was highly disorganised initially, as it came from several sources over a long period and each data breach gave results in different formats.

Shocking results

The results of Mr. Kothapalli’s analysis revealed that 3,202 accounts ending with “gov.in” format were hacked and their login name/passwords made available in plain text over the deep web. “The findings came as a rude shock. I had never expected such a large-scale attack which could possibly be targeted towards some specific organisations. For example, IGCAR, with 365 employee email credentials leaked, is on the top. It is closely followed by BARC, with 325 accounts. What blows my mind is that the two top organisations that deal with atomic research top this list. There is no logical explanation to this other than the possibility that these organisations were specifically targeted, which is why the count of leaked data is so high compared to other organisations,” Mr. Kothapalli told The Hindu on Monday.

Before the analysis, he said, a thorough clean-up had to be performed to separate the email IDs and passwords and arrange them in a format legible enough to carry out a detailed analysis. The data was checked against a third party called “Have I been pwned” - a website that allows internet users to check whether their personal data has been compromised by data breaches. The Hindu independently checked some of the email ids of employees (including scientists) belonging to the aforementioned organisations and provided by Mr. Kothapalli, in the website, and found that they had indeed been compromised in data breaches.

A Computer Science and Engineering graduate from IIT-Guwahati, Mr. Kothapalli has a start-up that is working towards making Indian cyberspace more secure. “I tried to make some correlation as to why atomic research organisations were leaked more. My analysis revealed that several of these accounts were not part of any data breach. This leaves only one conclusion – they must have been victims of a targeted phishing campaign,” he said.

The results of Mr. Kothapalli’s research show that 85% (out of a total of 1.85 billion) of the passwords were in plain text. Out of these, the ones belonging to government employees were all in plain text, without exception. This means that these emails have not only been compromised, but the respective passwords have been made available in plain text in various leaked databases across the dark web. In layman’s terms, this implies that if the employees use those same email ID-password combination for any other web-based services, then there is a high probability that all those services will also be compromised.

The Hindu sent an email query to the Secretary, Department of Atomic Energy, Mumbai asking about the seriousness of the breaches if they occurred at all. However there was no response. When contacted, the Public Relations Officer of IGCAR, Kalpakkam, quoting the Director of the facility said that the hacking of emails was “old news” and there was no breach of classified data. Computer engineers were working on the issue, she said.

Mr. Kothapalli said: “I am in the process of finishing the remaining investigation and contacting the respective government organisations to alert them on this issue. It is not just government organisations, but the details of the employees of several multinational companies, Indian companies etc. have also been leaked. At this stage, it is important to be proactive, revoke those credentials and take proper security measures. It is high time that two-factor authentication is introduced to access email accounts of employees in sensitive organisations. Another simple measure that will prevent damage from future attacks is to use a password manager and set separate passwords for various web-based services.” The Government of India is yet to contact him following the alert sent on Monday, he added.