800 GB of Indian Tax Office data for sale on Russian hacking forum

In a grave attempt to target the Indian Tax Office, a scammer, Bassterlord, sells access to its network and advertises the sensitive data gathered.
Updated on
April 19, 2023
Published on
April 6, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

Summary

On 26th March 2020, a hacker having the handle “Bassterlord”, on a Russian hacking forum, claimed to have Admin access to an Indian State Tax office’s network. As seen in the image below, the hacker alleges that the Tax office network has 4 devices, and that on the computer itself there is 800 GB of state documents. The hacker was accepting orders via the forum,Telegram, and Email.
Bassterlord's announcement on the hacking forum
Bassterlord’s announcement on the hacking forum
Since the post is quite ambiguous, it is not clear if the hacker is selling the exfiltrated data, or only the admin credentials to the systems inside the tax office network. However, as proof of the access, the seller had posted 5 supporting screenshots. By analysing the screenshots, we have tried to verify the seller’s claims.

Analysis of the seller’s proofs

Screenshot 1: The seller intends this to be proof that State Tax office’s system has been compromised
The system's 3 drives
The system’s 3 drives
The image shows that the system has 3 drives:
Drive
Drive name
Drive size (GB)
Data stored (GB)
C Local Disc 120 80.5
D New Volume 400 355.3
E AUDIT 410 400
Since the seller claims to have 800 GB of data, it is likely the aggregate of data in the New Volume and AUDIT drives, which has a combined size of 810 GB and approximately 755 GB of data. It is also possible that the remaining data could be from the Local Disc(C). Since exfiltrating ~800 GB of data is a daunting task, and raises alarms, we suspect that the hacker may have been selling only the access to the server, instead of the data itself.
Other observations:
The system has the following Network Shared Systems
  • SERVER-PC
  • tsclient
Names of sensitive files on the desktop:
  • Export_Tax
  • Tele doc.xls
  • Tele-Directory
  • Telephone Nos off…
  • life_time_cal..
  • mobile_introductory
  • Book1.xlsx
  • RomeshAshokbh…
The top left-hand corner of the screenshot has Russian text which translates to “Remote Desktop Connection.” The seller likely got Remote Desktop (RDP) access by exploiting an RDP flaw, by using default RDP credentials, or by brute forcing.
Remote Desktop Connection notification
Remote Desktop Connection notification
Screenshot 2: The seller intends this to be proof of admin rights 
Desktop folder titled “admin”
Desktop folder titled “admin”
The arrow in the image points to a desktop folder titled “admin,” which indicates that the hacker may have logged into the system using Admin credentials.  
Screenshot 3: The seller intends this to be proof of access to sensitive documents
The image below is a Certificate of Provisional Registration, for P N Goradia & Co. It is also notable that the certificate has been issued by the Government of Gujarat, implying that the hacker could have access to a Tax office in the state.
Sample GST form
Sample GST form
The details of P N Goradia & Co in the certificate match the information in indiamart.com: P N Goradia & Co.No. Address:  302, Taksh Classic Opposite IOC Petrol Pump, Vasna Road, Vasna Road, Vadodara-390007, Gujarat, India Mobile: 09825014860 Name: Pradip Nandlal Goradia Source: https://www.indiamart.com/pn-goradia/ However, GST details of vendors are publicly available, and many such certificates are disclosed by vendors, and can be found on the internet. So, this screenshot is no incontrovertible proof.  
Screenshot 4: The seller intends this to be proof of access to sensitive documents
The image of the Permanent Account Number (PAN) card of Vishmit Enterprise.
Sample PAN card
Sample PAN card
On further verification, we found that the PAN was active, but did not match Vishmit Enterprise in the PAN database. However, if the name is modified to Vismit Enterprise, without the “h”, the PAN matches the name in the PAN database. This shows that the PAN is valid and active.
Sample PAN card validation
Sample PAN card validation
 
PAN card is active
PAN card is active
 
Screenshot 5: The seller intends this to be proof of access to sensitive documents
Sample sensitive data Sample sensitive dataThis screenshot is notable in that it contains sensitive information such as Phone numbers, Emails, Dates, and other fields which are usually not available on the internet. We verified the phone numbers via Truecaller, and found that most of them belong to the State of Gujarat.

Who is the hacker?

User Handle
bassterlord
Forum joining date
13th May 2019
Points
14
Language
Russian
 
Hacker's profile
Hacker’s profile
The hacker’s reputation on the forum:
The hacker has 14 points on the forum. And the user history shows that no other forum user has raised complaints against the hacker. Despite being on the forum for less than 1 year, the user’s history indicates that the hacker is a trusted member of the forum.
The hacker’s history of selling RDP access 
The user has a history of selling RDP access, to other crucial systems, on the same forum. For example: on 23rd March 2020, on a different thread, the user was selling RDP access of corporations. Given the hacker’s history of selling RDP access, without any complaints from other users, it is likely that he sells legitimate credentials.
Selling RDP access to corporations
Selling RDP access to corporations
 
The seller has stopped selling access to the Tax office
Since the post on the forum is now public, the actor has stopped selling access to the Tax office network.
response to researcher
Interactions with the hacker
 

Inference

As per the above analysis, it can be inferred that the forum user got RDP access to the Tax office’s server, by exploiting the recent RDP bugs, via exposed remote desktop credentials, or by brute forcing. The hacker mentions that 4 network devices have been compromised and one screenshot shows shared network drives. So, it is possible that the hacker performed lateral movement to compromise other systems in the network.
Perform forensic analysis to verify the seller’s claims
  • Check if the Windows server screenshots shared above, actually belong to an Indian State’s Tax Office’s systems.
  • Since much of the data is linked to Gujarat, the search can focus on State Tax offices in the state.
  • Perform an audit check and forensic analysis on the systems, on and before the date the details were posted – 26th March 2020 – to check for suspicious RDP logins and exploitation attempts via logs.
  • Perform an audit check and forensic analysis on the systems, after the date the details were posted – 26th March 2020 – to check for data exfiltration.
  • Tighten the RDP access and restrict the access from public networks.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations