On 26th March 2020, a hacker having the handle “Bassterlord”, on a Russian hacking forum, claimed to have Admin access to an Indian State Tax office’s network. As seen in the image below, the hacker alleges that the Tax office network has 4 devices, and that on the computer itself there is 800 GB of state documents. The hacker was accepting orders via the forum,Telegram, and Email.
Since the post is quite ambiguous, it is not clear if the hacker is selling the exfiltrated data, or only the admin credentials to the systems inside the tax office network. However, as proof of the access, the seller had posted 5 supporting screenshots. By analysing the screenshots, we have tried to verify the seller’s claims.
Analysis of the seller’s proofs
Screenshot 1: The seller intends this to be proof that State Tax office’s system has been compromised
The image shows that the system has 3 drives:
Drive
Drive name
Drive size (GB)
Data stored (GB)
C
Local Disc
120
80.5
D
New Volume
400
355.3
E
AUDIT
410
400
Since the seller claims to have 800 GB of data, it is likely the aggregate of data in the New Volume and AUDIT drives, which has a combined size of 810 GB and approximately 755 GB of data. It is also possible that the remaining data could be from the Local Disc(C).
Since exfiltrating ~800 GB of data is a daunting task, and raises alarms, we suspect that the hacker may have been selling only the access to the server, instead of the data itself.
Other observations:
The system has the following Network Shared Systems
SERVER-PC
tsclient
Names of sensitive files on the desktop:
Export_Tax
Tele doc.xls
Tele-Directory
Telephone Nos off…
life_time_cal..
mobile_introductory
Book1.xlsx
RomeshAshokbh…
The top left-hand corner of the screenshot has Russian text which translates to “Remote Desktop Connection.” The seller likely got Remote Desktop (RDP) access by exploiting an RDP flaw, by using default RDP credentials, or by brute forcing.
Screenshot 2: The seller intends this to be proof of admin rights
The arrow in the image points to a desktop folder titled “admin,” which indicates that the hacker may have logged into the system using Admin credentials.
Screenshot 3: The seller intends this to be proof of access to sensitive documents
The image below is a Certificate of Provisional Registration, for P N Goradia & Co. It is also notable that the certificate has been issued by the Government of Gujarat, implying that the hacker could have access to a Tax office in the state.
The details of P N Goradia & Co in the certificate match the information in indiamart.com:
P N Goradia & Co.No.
Address: 302, Taksh Classic Opposite IOC Petrol Pump, Vasna Road, Vasna Road,
Vadodara-390007, Gujarat, India
Mobile: 09825014860
Name: Pradip Nandlal Goradia
Source: https://www.indiamart.com/pn-goradia/
However, GST details of vendors are publicly available, and many such certificates are disclosed by vendors, and can be found on the internet. So, this screenshot is no incontrovertible proof.
Screenshot 4: The seller intends this to be proof of access to sensitive documents
The image of the Permanent Account Number (PAN) card of Vishmit Enterprise.
On further verification, we found that the PAN was active, but did not match Vishmit Enterprise in the PAN database. However, if the name is modified to Vismit Enterprise, without the “h”, the PAN matches the name in the PAN database. This shows that the PAN is valid and active.
Screenshot 5: The seller intends this to be proof of access to sensitive documents
Sample sensitive dataThis screenshot is notable in that it contains sensitive information such as Phone numbers, Emails, Dates, and other fields which are usually not available on the internet.
We verified the phone numbers via Truecaller, and found that most of them belong to the State of Gujarat.
Who is the hacker?
User Handle
bassterlord
Forum joining date
13th May 2019
Points
14
Language
Russian
The hacker’s reputation on the forum:
The hacker has 14 points on the forum. And the user history shows that no other forum user has raised complaints against the hacker. Despite being on the forum for less than 1 year, the user’s history indicates that the hacker is a trusted member of the forum.
The hacker’s history of selling RDP access
The user has a history of selling RDP access, to other crucial systems, on the same forum.
For example: on 23rd March 2020, on a different thread, the user was selling RDP access of corporations. Given the hacker’s history of selling RDP access, without any complaints from other users, it is likely that he sells legitimate credentials.
The seller has stopped selling access to the Tax office
Since the post on the forum is now public, the actor has stopped selling access to the Tax office network.
Inference
As per the above analysis, it can be inferred that the forum user got RDP access to the Tax office’s server, by exploiting the recent RDP bugs, via exposed remote desktop credentials, or by brute forcing. The hacker mentions that 4 network devices have been compromised and one screenshot shows shared network drives. So, it is possible that the hacker performed lateral movement to compromise other systems in the network.
Perform forensic analysis to verify the seller’s claims
Check if the Windows server screenshots shared above, actually belong to an Indian State’s Tax Office’s systems.
Since much of the data is linked to Gujarat, the search can focus on State Tax offices in the state.
Perform an audit check and forensic analysis on the systems, on and before the date the details were posted – 26th March 2020 – to check for suspicious RDP logins and exploitation attempts via logs.
Perform an audit check and forensic analysis on the systems, after the date the details were posted – 26th March 2020 – to check for data exfiltration.
Tighten the RDP access and restrict the access from public networks.
More information and context about Underground Chatter
On-Demand Research Services
Global Threat Intelligence Feed
Protect and proceed with Actionable Intelligence
The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.