Hacker claims to have access to Indian State Tax office systems

Russian hacking forum user claims to have Admin access to Indian State Tax office network that contains 800 GB of sensitive data.

Share this Intel:

Summary

On 26th March 2020, a hacker having the handle “Bassterlord”, on a Russian hacking forum, claimed to have Admin access to an Indian State Tax office’s network. As seen in the image below, the hacker alleges that the Tax office network has 4 devices, and that on the computer itself there is 800 GB of state documents. The hacker was accepting orders via the forum,Telegram, and Email.

Bassterlord's announcement on the hacking forum
Bassterlord’s announcement on the hacking forum

Since the post is quite ambiguous, it is not clear if the hacker is selling the exfiltrated data, or only the admin credentials to the systems inside the tax office network. However, as proof of the access, the seller had posted 5 supporting screenshots. By analysing the screenshots, we have tried to verify the seller’s claims. 

Analysis of the seller’s proofs

Screenshot 1: The seller intends this to be proof that State Tax office’s system has been compromised
The system's 3 drives
The system’s 3 drives

The image shows that the system has 3 drives:

Drive
Drive name
Drive size (GB)
Data stored (GB)
C Local Disc 120 80.5
D New Volume 400 355.3
E AUDIT 410 400

Since the seller claims to have 800 GB of data, it is likely the aggregate of data in the New Volume and AUDIT drives, which has a combined size of 810 GB and approximately 755 GB of data. It is also possible that the remaining data could be from the Local Disc(C). 

Since exfiltrating ~800 GB of data is a daunting task, and raises alarms, we suspect that the hacker may have been selling only the access to the server, instead of the data itself.

Other observations:

The system has the following Network Shared Systems 

  • SERVER-PC
  • tsclient
Names of sensitive files on the desktop:
  • Export_Tax
  • Tele doc.xls
  • Tele-Directory
  • Telephone Nos off…
  • life_time_cal..
  • mobile_introductory
  • Book1.xlsx
  • RomeshAshokbh…

The top left-hand corner of the screenshot has Russian text which translates to “Remote Desktop Connection.” The seller likely got Remote Desktop (RDP) access by exploiting an RDP flaw, by using default RDP credentials, or by brute forcing.

Remote Desktop Connection notification
Remote Desktop Connection notification
Screenshot 2: The seller intends this to be proof of admin rights 
Desktop folder titled “admin”
Desktop folder titled “admin”

The arrow in the image points to a desktop folder titled “admin,” which indicates that the hacker may have logged into the system using Admin credentials. 

 

Screenshot 3: The seller intends this to be proof of access to sensitive documents

The image below is a Certificate of Provisional Registration, for P N Goradia & Co. It is also notable that the certificate has been issued by the Government of Gujarat, implying that the hacker could have access to a Tax office in the state. 

Sample GST form
Sample GST form

The details of P N Goradia & Co in the certificate match the information in indiamart.com:

P N Goradia & Co.No. 

Address:  302, Taksh Classic Opposite IOC Petrol Pump, Vasna Road, Vasna Road,

Vadodara-390007, Gujarat, India

Mobile: 09825014860

Name: Pradip Nandlal Goradia

Source: https://www.indiamart.com/pn-goradia/

However, GST details of vendors are publicly available, and many such certificates are disclosed by vendors, and can be found on the internet. So, this screenshot is no incontrovertible proof.   

 

Screenshot 4: The seller intends this to be proof of access to sensitive documents

The image of the Permanent Account Number (PAN) card of Vishmit Enterprise.  

Sample PAN card
Sample PAN card

On further verification, we found that the PAN was active, but did not match Vishmit Enterprise in the PAN database. However, if the name is modified to Vismit Enterprise, without the “h”, the PAN matches the name in the PAN database. This shows that the PAN is valid and active.

Sample PAN card validation
Sample PAN card validation

 

PAN card is active
PAN card is active

 

Screenshot 5: The seller intends this to be proof of access to sensitive documents

Sample sensitive data

Sample sensitive dataThis screenshot is notable in that it contains sensitive information such as Phone numbers, Emails, Dates, and other fields which are usually not available on the internet.

We verified the phone numbers via Truecaller, and found that most of them belong to the State of Gujarat. 

Who is the hacker?

User Handle
bassterlord
Forum joining date
13th May 2019
Points
14
Language
Russian

 

Hacker's profile
Hacker’s profile
The hacker’s reputation on the forum:

The hacker has 14 points on the forum. And the user history shows that no other forum user has raised complaints against the hacker. Despite being on the forum for less than 1 year, the user’s history indicates that the hacker is a trusted member of the forum. 

The hacker’s history of selling RDP access 

The user has a history of selling RDP access, to other crucial systems, on the same forum. 

For example: on 23rd March 2020, on a different thread, the user was selling RDP access of corporations. Given the hacker’s history of selling RDP access, without any complaints from other users, it is likely that he sells legitimate credentials.

Selling RDP access to corporations
Selling RDP access to corporations

 

The seller has stopped selling access to the Tax office

Since the post on the forum is now public, the actor has stopped selling access to the Tax office network.

response to researcher
Interactions with the hacker

 

Inference

As per the above analysis, it can be inferred that the forum user got RDP access to the Tax office’s server, by exploiting the recent RDP bugs, via exposed remote desktop credentials, or by brute forcing. The hacker mentions that 4 network devices have been compromised and one screenshot shows shared network drives. So, it is possible that the hacker performed lateral movement to compromise other systems in the network. 

Perform forensic analysis to verify the seller’s claims
  • Check if the Windows server screenshots shared above, actually belong to an Indian State’s Tax Office’s systems.
  • Since much of the data is linked to Gujarat, the search can focus on State Tax offices in the state. 
  • Perform an audit check and forensic analysis on the systems, on and before the date the details were posted – 26th March 2020 – to check for suspicious RDP logins and exploitation attempts via logs.
  • Perform an audit check and forensic analysis on the systems, after the date the details were posted – 26th March 2020 – to check for data exfiltration. 
  • Tighten the RDP access and restrict the access from public networks.

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.