Category: Adversary Intelligence | Industry: Insurance | Motivation: Financial & Geopolitical | Region: India/Asia & Pacific | Source*: D3

Executive Summary

‍

On 20 September 2024, CloudSEK’s XVigil platform discovered a threat actor, “xenZen,” selling 7TB of sensitive data from Star Health Insurance. The leaked data includes personal and health details of over 31 million customers and insurance claims for nearly 6 million individuals. “xenZen” claims to have acquired the data from Star Health’s CISO and created a website and Telegram bots to share samples, which appear legitimate.

While the data’s authenticity is confirmed with high confidence, the involvement of the CISO and other executives seems fabricated. This article shows potential attack chains as well as fabrication methods that were used by “xenZen” who also has a history of data breaches and may have geopolitical motives beyond financial gain.

‍

Analysis and Attribution

Information from the Post

On 20 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor with the moniker “xenZen” selling access to over 7TB of data obtained from Star Health Insurance, an Indian multinational health insurance company headquartered in Chennai.

‍

‍*Post by “xenZen” about selling data obtained from Star Health Insurance*

‍

The actor mentioned in the post that the following information has been leaked

‍

Customer Data Leak‍

31,216,953 customers (data till JULY 2024)

Full Name
PAN No.
Mobile No.
Email
Date of Birth
Residential Address
Insured Date of Birth
Insured Name
Gender
Pre-existing Disease
Policy Number
Health Card
Nominee Name
Nominee Age
Nominee Claim %
Nominee Relationship
Insured Height
Weight
BMI and more

‍

Insurance Claims Data Leak

5,758,425 claims (data till early AUG 2024)

Aadhaar Card Photo
PAN Card Photo
Detailed Medical/Health Reports
Residential Address
Contact Details
Insurance Claim Details
Amount Details and more

‍

The threat actor claims that they bought the data directly from Star Health’s CISO. To establish the authenticity of these claims, the threat actor has gone an extra mile and created a website(protected behind cloudflare) dedicated to Star Health Insurance’s leaked data. The website was registered in August 2024, after the alleged conversation with the company’s CISO.

The threat actor created 2 telegram bots for the dissemination of the samples of customer and insurance data to the wider audience. Analysis indicates that the data samples are legitimate and do belong to the targeted company.

‍

Desperate Attempts To Make the Executives Look Bad?

The threat actor uploaded a video on their dedicated website for this breach, claiming that they were discussing with the CISO and senior management about the purchase of this data, from the company itself. However, the threat actor did not:some text
- Show the complete email header
- Refresh the page

*Snippet from the video shared by “xenZen” claiming the CISO directly interacted with them*

‍

On the other hand, within the video shared by the threat actor, we saw

Instances where the CISO is allegedly using their corporate email to discuss the sale with the threat actor.
Instances where the CISO is talking (crudely) about the involvement of senior executives in this breach.
Instances where the CISO is managing the API access provided to the threat actor

Analyst Note -
The threat actor has shared two simultaneous chats between star health and himself, the left side of the screen is TOX which is a P2P messaging platform used primarily for anonymity. On the right however are emails allegedly originating from the official email which is highly unlikely. This can be done by a simple trick as "inspect element" function and altering the HTML code to make it look like the email originated from official channels The credentials allegedly shared by the CISO to the Threat Actor to access the API are part of a separate credential breach on the darkweb It is likely that the threat actor used the publicly available credentials and exploited an IDOR vulnerability in the API subsequently dumped data The threat actor belongs to China and has had geopolitical motives to create chaos and spread disinformation among Indian masses

Analyst Note -

The threat actor has shared two simultaneous chats between star health and himself, the left side of the screen is TOX which is a P2P messaging platform used primarily for anonymity. On the right however are emails allegedly originating from the official email which is highly unlikely. This can be done by a simple trick as "inspect element" function and altering the HTML code to make it look like the email originated from official channels
The credentials allegedly shared by the CISO to the Threat Actor to access the API are part of a separate credential breach on the darkweb
It is likely that the threat actor used the publicly available credentials and exploited an IDOR vulnerability in the API subsequently dumped data
The threat actor belongs to China and has had geopolitical motives to create chaos and spread disinformation among Indian masses

‍

Based on the available information, we can ascertain with high confidence that the threat actor has data that originates from Star Health Insurance. However, the involvement of the CISO and other executives seems highly unlikely and fabricated, to say the least.

‍

Threat Actor Activity and Rating

‍

Threat Actor Profiling
Active since	June 2024
Reputation	30 [Automated reputation received upon buying a rank on Breachforums]
Current Status	ACTIVE
History's	The threat actor claims to be from China and has a history of spreading propaganda. Previously, the threat actor claimed to have compromised Airtel's servers and claimed responsibility for that data breach. However, our investigation revealed that the data samples could be found in the Indian Telecom Leak that happened in December 2023. The threat actor has previously claimed to have sold data originating from the Indian Ministry of External Affairs about Diplomatic Passport Holders, and is known for marking overpriced selling threads as sold. While the apparent motivation of the threat actor may seem to be financial, the Airtel case adds a geopolitical angle to the threat actor's motivations.
Previous Targets	Airtel(Debunked) Ministry of External Affairs(Unverified)
Tactics	Is known to spread disinformation Marks potentially unsold data as sold on the forum to create more reputation
Rating	Medium

‍

Impact

Personal and sensitive health information of over 31 million customers, including medical records, PAN numbers, and Aadhaar details, were leaked, leading to privacy and security risks.
The breach erodes customer trust, damaging Star Health’s brand image and raising concerns over the company’s data protection practices.
Star Health may face regulatory penalties, lawsuits, and financial losses due to non-compliance with data protection laws (e.g., GDPR, India’s Data Protection Bill).

‍

Mitigations

Continuously monitor for leaked credentials that open a completely different Attack surface and validate those credentials on your infrastructure. CloudSEK XVigil platform does this for our customers today.
Rigorous and frequent API testing should be done to check for data exposure flaws. CloudSEK Bevigil enterprise does this.
Implement behavioural detection/rate limiting and MFA on customer login endpoints as well to avert credential stuffing attacks
Implement robust encryption for stored and transmitted data, along with regular security audits to identify vulnerabilities.
Strengthen access management, including limiting privileged account access and implementing multi-factor authentication (MFA) for all employees and third parties. Keep an eye out for insider threats.
Initiate a strong incident response plan, including threat actor engagement and notifying affected customers, offering identity theft protection services, and collaborating with law enforcement to investigate the breach.

‍