Category: Adversary Intelligence	Industry: Government	Motivation: Hacktivism	Region: India	Source*: B2

Executive Summary

THREAT	IMPACT	MITIGATION
Credentials and PII of users of Rail Coach Factory, Kapurthala, India were shared. The data shared, though dated between 2008-2010, could still put users at risk. Unencrypted sensitive data of the Rail Coach Factory is available for free.	The sensitive information poses a large-scale risk, leading to exposure of critical government infrastructure. Details of personnel in every department could be misused for corruption in Tender Applications or similar operations.	Monitor user accounts for suspicious transactions. Encrypt the data and credentials present in the databases and server. Ensure user awareness about this data leak.

CloudSEK’s contextual AI digital risk platform XVigil has identified a post on a cybercrime forum where a threat actor has posted the database of Rail Coach Factory, Kapurthala, India for free.  

Analysis and Attribution

Information from the Post

• On 14 June 2022, a threat actor published a post, on a cybercrime forum, sharing the old database of the Rail Coach Factory, Kapurthala, India for free.
• The actor claims that the compromised database includes users’ PII along with plain text passwords and other database names and has been made available to all.

[caption id="attachment_19639" align="alignnone" width="1708"] Threat actor’s post on cybercrime forum[/caption]  

• The actor shared the following information and databases:

PII Shared
User ID User Type Email Address Password User Name Mobile Number

Databases Shared
Civil.mdb	Contacts.mdb	Critical_Item.mdb
deptcd.mdb	log.mdb	news.mdb
nonmovItems.mdb	Noticedb.mdb	pbranch.mdb
Rcftenders.mdb	sales.mdb	sms.mdb
Tenderform.mdb	TendFinal.mdb	users.mdb

The Threat Actor

• Previous posts of the threat actor indicate that they have been actively engaging with the members on the forum by posting accesses and databases. Some of them are sold at a cost, while others are shared for free.
• The threat actor is a hacktivist group, involved in gray hat hacking, and has thousands of followers and collaborators across the globe.
• The group is a coalition of more than 3 organized groups that operate from Europe and America, and they had previously targeted a few Indian entities too.

Source Rating

• The actor, who joined the new cybercrime forum in March 2022, has a high reputation on the forum and a decent number of members on the Telegram channel.

Hence,

• The reliability of the actor can be rated Usually reliable (B).
• The credibility of the advertisement can be rated as Probably true (2).
• Giving overall source credibility of B2.

Impact & Mitigation

Impact

Mitigation

This data leak is a massive risk, leading to the exposure of critical government infrastructure. Unencrypted sensitive data of the Rail Coach factory is available on cybercrime forums for free which can be used for malicious purposes. PII (Personally Identifiable Information) of the employees belonging to Rail Coach Factory can be used to conduct: Social engineering attacks Phishing attacks Identity theft

Monitor user accounts for suspicious transactions, which could indicate possible account takeovers. Encrypt the data and credentials present in the databases and server. Implement a strong password policy and enable MFA (multi-factor authentication) across logins. Ensure user awareness about such data leaks. Patch vulnerable and exploitable endpoints. Real-time monitoring of cybercrime forums for data breaches.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_19640" align="alignnone" width="1303"] A sample of database posted by TA[/caption]   [caption id="attachment_19641" align="aligncenter" width="1599"] The leaked files[/caption]