🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Adversary Intelligence
Threat Intelligence
3
mins read

Starhealth Insurance Debacle: Information warfare using fabricated evidence

On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.

CloudSEK TRIAD
September 24, 2024
Green Alert
Last Update posted on
September 24, 2024

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category: Adversary Intelligence | Industry: Insurance | Motivation: Financial & Geopolitical | Region: India/Asia & Pacific | Source*D3

Executive Summary

On 20 September 2024, CloudSEK’s XVigil platform discovered a threat actor, “xenZen,” selling 7TB of sensitive data from Star Health Insurance. The leaked data includes personal and health details of over 31 million customers and insurance claims for nearly 6 million individuals. “xenZen” claims to have acquired the data from Star Health’s CISO and created a website and Telegram bots to share samples, which appear legitimate.

While the data’s authenticity is confirmed with high confidence, the involvement of the CISO and other executives seems fabricated. This article shows potential attack chains as well as fabrication methods that were used by “xenZen” who also  has a history of data breaches and may have geopolitical motives beyond financial gain.

Analysis and Attribution

Information from the Post

  • On 20 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “xenZen” selling access to over 7TB of data obtained from Star Health Insurance, an Indian multinational health insurance company headquartered in Chennai.

Post by “xenZen” about selling data obtained from Star Health Insurance

The actor mentioned in the post that the following information has been leaked

Customer Data Leak

31,216,953 customers (data till JULY 2024)

  • Full Name
  • PAN No.
  • Mobile No.
  • Email
  • Date of Birth
  • Residential Address
  • Insured Date of Birth
  • Insured Name
  • Gender
  • Pre-existing Disease
  • Policy Number
  • Health Card
  • Nominee Name
  • Nominee Age
  • Nominee Claim %
  • Nominee Relationship
  • Insured Height
  • Weight
  • BMI and more

Insurance Claims Data Leak

5,758,425 claims (data till early AUG 2024)

  • Aadhaar Card Photo
  • PAN Card Photo
  • Detailed Medical/Health Reports
  • Residential Address
  • Contact Details
  • Insurance Claim Details
  • Amount Details and more

The threat actor claims that they bought the data directly from Star Health’s CISO. To establish the authenticity of these claims, the threat actor has gone an extra mile and created a website(protected behind cloudflare) dedicated to Star Health Insurance’s leaked data. The website was registered in August 2024, after the alleged conversation with the company’s CISO.

The threat actor created 2 telegram bots for the dissemination of the samples of customer and insurance data to the wider audience. Analysis indicates that the data samples are legitimate and do belong to the targeted company.

Desperate Attempts To Make the Executives Look Bad?

  • The threat actor uploaded a video on their dedicated website for this breach, claiming that they were discussing with the CISO and senior management about the purchase of this data, from the company itself. However, the threat actor did not:some text
    • Show the complete email header
    • Refresh the page
Snippet from the video shared  by “xenZen” claiming the CISO directly interacted with them

On the other hand, within the video shared by the threat actor, we saw 

  • Instances where the CISO is allegedly using their corporate email to discuss the sale with the threat actor. 
  • Instances where the CISO is talking (crudely) about the involvement of senior executives in this breach.
  • Instances where the CISO is managing the API access provided to the threat actor
Analyst Note -
  1. The threat actor has shared two simultaneous chats between star health and himself, the left side of the screen is TOX which is a P2P messaging platform used primarily for anonymity. On the right however are emails allegedly originating from the official email which is highly unlikely. This can be done by a simple trick as "inspect element" function and altering the HTML code to make it look like the email originated from official channels
  2. The credentials allegedly shared by the CISO to the Threat Actor to access the API are part of a separate credential breach on the darkweb
  3. It is likely that the threat actor used the publicly available credentials and exploited an IDOR vulnerability in the API subsequently dumped data
  4. The threat actor belongs to China and has had geopolitical motives to create chaos and spread disinformation among Indian masses

Based on the available information, we can ascertain with high confidence that the threat actor has data that originates from Star Health Insurance. However, the involvement of the CISO and other executives seems highly unlikely and fabricated, to say the least.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since June 2024
Reputation 30 [Automated reputation received upon buying a rank on Breachforums]
Current Status ACTIVE
History's The threat actor claims to be from China and has a history of spreading propaganda. Previously, the threat actor claimed to have compromised Airtel's servers and claimed responsibility for that data breach. However, our investigation revealed that the data samples could be found in the Indian Telecom Leak that happened in December 2023. The threat actor has previously claimed to have sold data originating from the Indian Ministry of External Affairs about Diplomatic Passport Holders, and is known for marking overpriced selling threads as sold. While the apparent motivation of the threat actor may seem to be financial, the Airtel case adds a geopolitical angle to the threat actor's motivations.
Previous Targets
  • Airtel(Debunked)
  • Ministry of External Affairs(Unverified)
Tactics
  • Is known to spread disinformation
  • Marks potentially unsold data as sold on the forum to create more reputation
Rating Medium

Impact

  • Personal and sensitive health information of over 31 million customers, including medical records, PAN numbers, and Aadhaar details, were leaked, leading to privacy and security risks.
  • The breach erodes customer trust, damaging Star Health’s brand image and raising concerns over the company’s data protection practices.
  • Star Health may face regulatory penalties, lawsuits, and financial losses due to non-compliance with data protection laws (e.g., GDPR, India’s Data Protection Bill).

Mitigations

  • Continuously monitor for leaked credentials that open a completely different Attack surface and validate those credentials on your infrastructure. CloudSEK XVigil platform does this for our customers today. 
  • Rigorous and frequent API testing should be done to check for data exposure flaws. CloudSEK Bevigil enterprise does this. 
  • Implement behavioural detection/rate limiting and MFA on customer login endpoints as well to avert credential stuffing attacks
  • Implement robust encryption for stored and transmitted data, along with regular security audits to identify vulnerabilities.
  • Strengthen access management, including limiting privileged account access and implementing multi-factor authentication (MFA) for all employees and third parties. Keep an eye out for insider threats.
  • Initiate a strong incident response plan, including threat actor engagement and notifying affected customers, offering identity theft protection services, and collaborating with law enforcement to investigate the breach.

References

Appendix

Dedicated website created by the threat actor to gain spotlight about this breach

Dedicated website created by the threat actor to gain spotlight about this breach

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Advisory
Breach
July 19, 2024

WazirX Incident: Explained

WazirX, a leading Indian cryptocurrency exchange, faced a major security breach on July 18, 2024 resulting in significant financial losses of over $200 Million. Dive into our detailed analysis to uncover how the attack unfolded, potential culprits, and the broader implications for WazirX users.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Blog Image
Adversary Intelligence
March 5, 2024

Shadow Banking in Your Pocket: Exposing Android App Used by Money Mules

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence
Threat Intelligence

3

min read

Starhealth Insurance Debacle: Information warfare using fabricated evidence

On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Category: Adversary Intelligence | Industry: Insurance | Motivation: Financial & Geopolitical | Region: India/Asia & Pacific | Source*D3

Executive Summary

On 20 September 2024, CloudSEK’s XVigil platform discovered a threat actor, “xenZen,” selling 7TB of sensitive data from Star Health Insurance. The leaked data includes personal and health details of over 31 million customers and insurance claims for nearly 6 million individuals. “xenZen” claims to have acquired the data from Star Health’s CISO and created a website and Telegram bots to share samples, which appear legitimate.

While the data’s authenticity is confirmed with high confidence, the involvement of the CISO and other executives seems fabricated. This article shows potential attack chains as well as fabrication methods that were used by “xenZen” who also  has a history of data breaches and may have geopolitical motives beyond financial gain.

Analysis and Attribution

Information from the Post

  • On 20 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “xenZen” selling access to over 7TB of data obtained from Star Health Insurance, an Indian multinational health insurance company headquartered in Chennai.

Post by “xenZen” about selling data obtained from Star Health Insurance

The actor mentioned in the post that the following information has been leaked

Customer Data Leak

31,216,953 customers (data till JULY 2024)

  • Full Name
  • PAN No.
  • Mobile No.
  • Email
  • Date of Birth
  • Residential Address
  • Insured Date of Birth
  • Insured Name
  • Gender
  • Pre-existing Disease
  • Policy Number
  • Health Card
  • Nominee Name
  • Nominee Age
  • Nominee Claim %
  • Nominee Relationship
  • Insured Height
  • Weight
  • BMI and more

Insurance Claims Data Leak

5,758,425 claims (data till early AUG 2024)

  • Aadhaar Card Photo
  • PAN Card Photo
  • Detailed Medical/Health Reports
  • Residential Address
  • Contact Details
  • Insurance Claim Details
  • Amount Details and more

The threat actor claims that they bought the data directly from Star Health’s CISO. To establish the authenticity of these claims, the threat actor has gone an extra mile and created a website(protected behind cloudflare) dedicated to Star Health Insurance’s leaked data. The website was registered in August 2024, after the alleged conversation with the company’s CISO.

The threat actor created 2 telegram bots for the dissemination of the samples of customer and insurance data to the wider audience. Analysis indicates that the data samples are legitimate and do belong to the targeted company.

Desperate Attempts To Make the Executives Look Bad?

  • The threat actor uploaded a video on their dedicated website for this breach, claiming that they were discussing with the CISO and senior management about the purchase of this data, from the company itself. However, the threat actor did not:some text
    • Show the complete email header
    • Refresh the page
Snippet from the video shared  by “xenZen” claiming the CISO directly interacted with them

On the other hand, within the video shared by the threat actor, we saw 

  • Instances where the CISO is allegedly using their corporate email to discuss the sale with the threat actor. 
  • Instances where the CISO is talking (crudely) about the involvement of senior executives in this breach.
  • Instances where the CISO is managing the API access provided to the threat actor
Analyst Note -
  1. The threat actor has shared two simultaneous chats between star health and himself, the left side of the screen is TOX which is a P2P messaging platform used primarily for anonymity. On the right however are emails allegedly originating from the official email which is highly unlikely. This can be done by a simple trick as "inspect element" function and altering the HTML code to make it look like the email originated from official channels
  2. The credentials allegedly shared by the CISO to the Threat Actor to access the API are part of a separate credential breach on the darkweb
  3. It is likely that the threat actor used the publicly available credentials and exploited an IDOR vulnerability in the API subsequently dumped data
  4. The threat actor belongs to China and has had geopolitical motives to create chaos and spread disinformation among Indian masses

Based on the available information, we can ascertain with high confidence that the threat actor has data that originates from Star Health Insurance. However, the involvement of the CISO and other executives seems highly unlikely and fabricated, to say the least.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since June 2024
Reputation 30 [Automated reputation received upon buying a rank on Breachforums]
Current Status ACTIVE
History's The threat actor claims to be from China and has a history of spreading propaganda. Previously, the threat actor claimed to have compromised Airtel's servers and claimed responsibility for that data breach. However, our investigation revealed that the data samples could be found in the Indian Telecom Leak that happened in December 2023. The threat actor has previously claimed to have sold data originating from the Indian Ministry of External Affairs about Diplomatic Passport Holders, and is known for marking overpriced selling threads as sold. While the apparent motivation of the threat actor may seem to be financial, the Airtel case adds a geopolitical angle to the threat actor's motivations.
Previous Targets
  • Airtel(Debunked)
  • Ministry of External Affairs(Unverified)
Tactics
  • Is known to spread disinformation
  • Marks potentially unsold data as sold on the forum to create more reputation
Rating Medium

Impact

  • Personal and sensitive health information of over 31 million customers, including medical records, PAN numbers, and Aadhaar details, were leaked, leading to privacy and security risks.
  • The breach erodes customer trust, damaging Star Health’s brand image and raising concerns over the company’s data protection practices.
  • Star Health may face regulatory penalties, lawsuits, and financial losses due to non-compliance with data protection laws (e.g., GDPR, India’s Data Protection Bill).

Mitigations

  • Continuously monitor for leaked credentials that open a completely different Attack surface and validate those credentials on your infrastructure. CloudSEK XVigil platform does this for our customers today. 
  • Rigorous and frequent API testing should be done to check for data exposure flaws. CloudSEK Bevigil enterprise does this. 
  • Implement behavioural detection/rate limiting and MFA on customer login endpoints as well to avert credential stuffing attacks
  • Implement robust encryption for stored and transmitted data, along with regular security audits to identify vulnerabilities.
  • Strengthen access management, including limiting privileged account access and implementing multi-factor authentication (MFA) for all employees and third parties. Keep an eye out for insider threats.
  • Initiate a strong incident response plan, including threat actor engagement and notifying affected customers, offering identity theft protection services, and collaborating with law enforcement to investigate the breach.

References

Appendix

Dedicated website created by the threat actor to gain spotlight about this breach

Dedicated website created by the threat actor to gain spotlight about this breach