| Category:
Adversary Intelligence |
Industry:
Government |
Motivation:
Hacktivism |
Region:
India |
Source*:
B2 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Credentials and PII of users of Rail Coach Factory, Kapurthala, India were shared.
- The data shared, though dated between 2008-2010, could still put users at risk.
- Unencrypted sensitive data of the Rail Coach Factory is available for free.
|
- The sensitive information poses a large-scale risk, leading to exposure of critical government infrastructure.
- Details of personnel in every department could be misused for corruption in Tender Applications or similar operations.
|
- Monitor user accounts for suspicious transactions.
- Encrypt the data and credentials present in the databases and server.
- Ensure user awareness about this data leak.
|
CloudSEK’s contextual AI digital risk platform
XVigil has identified a post on a cybercrime forum where a threat actor has posted the database of Rail Coach Factory, Kapurthala, India for free.
Analysis and Attribution
Information from the Post
- On 14 June 2022, a threat actor published a post, on a cybercrime forum, sharing the old database of the Rail Coach Factory, Kapurthala, India for free.
- The actor claims that the compromised database includes users’ PII along with plain text passwords and other database names and has been made available to all.
[caption id="attachment_19639" align="alignnone" width="1708"]
Threat actor’s post on cybercrime forum[/caption]
- The actor shared the following information and databases:
| PII Shared |
- User ID
- User Type
- Email Address
- Password
- User Name
- Mobile Number
|
The Threat Actor
- Previous posts of the threat actor indicate that they have been actively engaging with the members on the forum by posting accesses and databases. Some of them are sold at a cost, while others are shared for free.
- The threat actor is a hacktivist group, involved in gray hat hacking, and has thousands of followers and collaborators across the globe.
- The group is a coalition of more than 3 organized groups that operate from Europe and America, and they had previously targeted a few Indian entities too.
Source Rating
- The actor, who joined the new cybercrime forum in March 2022, has a high reputation on the forum and a decent number of members on the Telegram channel.
Hence,
- The reliability of the actor can be rated Usually reliable (B).
- The credibility of the advertisement can be rated as Probably true (2).
- Giving overall source credibility of B2.
Impact & Mitigation
| Impact |
Mitigation |
- This data leak is a massive risk, leading to the exposure of critical government infrastructure.
- Unencrypted sensitive data of the Rail Coach factory is available on cybercrime forums for free which can be used for malicious purposes.
- PII (Personally Identifiable Information) of the employees belonging to Rail Coach Factory can be used to conduct:
- Social engineering attacks
- Phishing attacks
- Identity theft
|
- Monitor user accounts for suspicious transactions, which could indicate possible account takeovers.
- Encrypt the data and credentials present in the databases and server. Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Ensure user awareness about such data leaks.
- Patch vulnerable and exploitable endpoints.
- Real-time monitoring of cybercrime forums for data breaches.
|
References
Appendix
[caption id="attachment_19640" align="alignnone" width="1303"]
A sample of database posted by TA[/caption]
[caption id="attachment_19641" align="aligncenter" width="1599"]
The leaked files[/caption]
