800 GB of Indian Tax Office data for sale on Russian hacking forum

Summary

On 26th March 2020, a hacker having the handle “Bassterlord”, on a Russian hacking forum, claimed to have Admin access to an Indian State Tax office’s network. As seen in the image below, the hacker alleges that the Tax office network has 4 devices, and that on the computer itself there is 800 GB of state documents. The hacker was accepting orders via the forum,Telegram, and Email.

Since the post is quite ambiguous, it is not clear if the hacker is selling the exfiltrated data, or only the admin credentials to the systems inside the tax office network. However, as proof of the access, the seller had posted 5 supporting screenshots. By analysing the screenshots, we have tried to verify the seller’s claims.

Analysis of the seller’s proofs

Screenshot 1: The seller intends this to be proof that State Tax office’s system has been compromised

The image shows that the system has 3 drives:

Drive	Drive name	Drive size (GB)	Data stored (GB)
C	Local Disc	120	80.5
D	New Volume	400	355.3
E	AUDIT	410	400

Since the seller claims to have 800 GB of data, it is likely the aggregate of data in the New Volume and AUDIT drives, which has a combined size of 810 GB and approximately 755 GB of data. It is also possible that the remaining data could be from the Local Disc(C).

Since exfiltrating ~800 GB of data is a daunting task, and raises alarms, we suspect that the hacker may have been selling only the access to the server, instead of the data itself.

Other observations:

The system has the following Network Shared Systems

• SERVER-PC
• tsclient

Names of sensitive files on the desktop:

• Export_Tax
• Tele doc.xls
• Tele-Directory
• Telephone Nos off…
• life_time_cal..
• mobile_introductory
• Book1.xlsx
• RomeshAshokbh…

The top left-hand corner of the screenshot has Russian text which translates to “Remote Desktop Connection.” The seller likely got Remote Desktop (RDP) access by exploiting an RDP flaw, by using default RDP credentials, or by brute forcing.

Screenshot 2: The seller intends this to be proof of admin rights 

The arrow in the image points to a desktop folder titled “admin,” which indicates that the hacker may have logged into the system using Admin credentials.

 

Screenshot 3: The seller intends this to be proof of access to sensitive documents

The image below is a Certificate of Provisional Registration, for P N Goradia & Co. It is also notable that the certificate has been issued by the Government of Gujarat, implying that the hacker could have access to a Tax office in the state.

The details of P N Goradia & Co in the certificate match the information in indiamart.com:

P N Goradia & Co.No.

Address:  302, Taksh Classic Opposite IOC Petrol Pump, Vasna Road, Vasna Road,

Vadodara-390007, Gujarat, India

Mobile: 09825014860

Name: Pradip Nandlal Goradia

Source: https://www.indiamart.com/pn-goradia/

However, GST details of vendors are publicly available, and many such certificates are disclosed by vendors, and can be found on the internet. So, this screenshot is no incontrovertible proof.

 

Screenshot 4: The seller intends this to be proof of access to sensitive documents

The image of the Permanent Account Number (PAN) card of Vishmit Enterprise.

On further verification, we found that the PAN was active, but did not match Vishmit Enterprise in the PAN database. However, if the name is modified to Vismit Enterprise, without the “h”, the PAN matches the name in the PAN database. This shows that the PAN is valid and active.

 

 

Screenshot 5: The seller intends this to be proof of access to sensitive documents

Sample sensitive dataThis screenshot is notable in that it contains sensitive information such as Phone numbers, Emails, Dates, and other fields which are usually not available on the internet.

We verified the phone numbers via Truecaller, and found that most of them belong to the State of Gujarat.

Who is the hacker?

User Handle	bassterlord
Forum joining date	13th May 2019
Points	14
Language	Russian

 

The hacker’s reputation on the forum:

The hacker has 14 points on the forum. And the user history shows that no other forum user has raised complaints against the hacker. Despite being on the forum for less than 1 year, the user’s history indicates that the hacker is a trusted member of the forum.

The hacker’s history of selling RDP access 

The user has a history of selling RDP access, to other crucial systems, on the same forum.

For example: on 23rd March 2020, on a different thread, the user was selling RDP access of corporations. Given the hacker’s history of selling RDP access, without any complaints from other users, it is likely that he sells legitimate credentials.

 

The seller has stopped selling access to the Tax office

Since the post on the forum is now public, the actor has stopped selling access to the Tax office network.

 

Inference

As per the above analysis, it can be inferred that the forum user got RDP access to the Tax office’s server, by exploiting the recent RDP bugs, via exposed remote desktop credentials, or by brute forcing. The hacker mentions that 4 network devices have been compromised and one screenshot shows shared network drives. So, it is possible that the hacker performed lateral movement to compromise other systems in the network.

Perform forensic analysis to verify the seller’s claims

• Check if the Windows server screenshots shared above, actually belong to an Indian State’s Tax Office’s systems.
• Since much of the data is linked to Gujarat, the search can focus on State Tax offices in the state.
• Perform an audit check and forensic analysis on the systems, on and before the date the details were posted – 26th March 2020 – to check for suspicious RDP logins and exploitation attempts via logs.
• Perform an audit check and forensic analysis on the systems, after the date the details were posted – 26th March 2020 – to check for data exfiltration.
• Tighten the RDP access and restrict the access from public networks.