On 26th March 2020, a hacker having the handle “Bassterlord”, on a Russian hacking forum, claimed to have Admin access to an Indian State Tax office’s network. As seen in the image below, the hacker alleges that the Tax office network has 4 devices, and that on the computer itself there is 800 GB of state documents. The hacker was accepting orders via the forum,Telegram, and Email.
Since the post is quite ambiguous, it is not clear if the hacker is selling the exfiltrated data, or only the admin credentials to the systems inside the tax office network. However, as proof of the access, the seller had posted 5 supporting screenshots. By analysing the screenshots, we have tried to verify the seller’s claims.
The image shows that the system has 3 drives:
Drive |
Drive name |
Drive size (GB) |
Data stored (GB) |
C | Local Disc | 120 | 80.5 |
D | New Volume | 400 | 355.3 |
E | AUDIT | 410 | 400 |
Since the seller claims to have 800 GB of data, it is likely the aggregate of data in the New Volume and AUDIT drives, which has a combined size of 810 GB and approximately 755 GB of data. It is also possible that the remaining data could be from the Local Disc(C).
Since exfiltrating ~800 GB of data is a daunting task, and raises alarms, we suspect that the hacker may have been selling only the access to the server, instead of the data itself.
The system has the following Network Shared Systems
The top left-hand corner of the screenshot has Russian text which translates to “Remote Desktop Connection.” The seller likely got Remote Desktop (RDP) access by exploiting an RDP flaw, by using default RDP credentials, or by brute forcing.
The arrow in the image points to a desktop folder titled “admin,” which indicates that the hacker may have logged into the system using Admin credentials.
The image below is a Certificate of Provisional Registration, for P N Goradia & Co. It is also notable that the certificate has been issued by the Government of Gujarat, implying that the hacker could have access to a Tax office in the state.
The details of P N Goradia & Co in the certificate match the information in indiamart.com:
P N Goradia & Co.No.
Address: 302, Taksh Classic Opposite IOC Petrol Pump, Vasna Road, Vasna Road,
Vadodara-390007, Gujarat, India
Mobile: 09825014860
Name: Pradip Nandlal Goradia
Source: https://www.indiamart.com/pn-goradia/
However, GST details of vendors are publicly available, and many such certificates are disclosed by vendors, and can be found on the internet. So, this screenshot is no incontrovertible proof.
The image of the Permanent Account Number (PAN) card of Vishmit Enterprise.
On further verification, we found that the PAN was active, but did not match Vishmit Enterprise in the PAN database. However, if the name is modified to Vismit Enterprise, without the “h”, the PAN matches the name in the PAN database. This shows that the PAN is valid and active.
Sample sensitive dataThis screenshot is notable in that it contains sensitive information such as Phone numbers, Emails, Dates, and other fields which are usually not available on the internet.
We verified the phone numbers via Truecaller, and found that most of them belong to the State of Gujarat.
User Handle |
bassterlord |
Forum joining date |
13th May 2019 |
Points |
14 |
Language |
Russian |
The hacker has 14 points on the forum. And the user history shows that no other forum user has raised complaints against the hacker. Despite being on the forum for less than 1 year, the user’s history indicates that the hacker is a trusted member of the forum.
The user has a history of selling RDP access, to other crucial systems, on the same forum.
For example: on 23rd March 2020, on a different thread, the user was selling RDP access of corporations. Given the hacker’s history of selling RDP access, without any complaints from other users, it is likely that he sells legitimate credentials.
Since the post on the forum is now public, the actor has stopped selling access to the Tax office network.
As per the above analysis, it can be inferred that the forum user got RDP access to the Tax office’s server, by exploiting the recent RDP bugs, via exposed remote desktop credentials, or by brute forcing. The hacker mentions that 4 network devices have been compromised and one screenshot shows shared network drives. So, it is possible that the hacker performed lateral movement to compromise other systems in the network.