Two security companies, Seqrite’s Cyber Intelligence Labs and seQtree InfoServices noticed an advertisement on a darknet forum for access to a database (a dump, not live access) that belonged to India’s National Internet Registry. The data breach impacted more than 6,000 internet service providers, government entities, and private companies. As of now, it looks as if no damage has come from the incident.
Teams from seQtree and Seqrite immediately tracked down what information they could about the background of the threat actor. They found nothing of importance. The persona, they announced, was created recently. Seqrite wrote that new identities are being used by threat actors when data breaches are involved.
India’s National Internet Registry: IRINN aka Indian Registry for Internet Names and Numbers is responsible for “coordinating IP Address allocation with other Internet resource management function at national level in the country.” The vendor actually choose not to name the internet registry service that he had breached; in a small email address “sample list,” the seQtree and Seqrite spotted information that led to that discovery.
The advertisement on a darknet forum:
“As mentioned in the title, selling database of one of the biggest Internet Protocol controller.
In client Database you can get username, email ids, passwords, organisation name, invoices/billing documents, and few more important fields. You can also control IP range of respective organisation. You can entirely shut down that organisation.
Selling it for 15 BTC”
In the sample list that the teams talked the vendor into sharing, the teams noticed email addresses belonging to an Indian technology company and at least one email address from the Indian government. So, they pushed the vendor for more information. In return, the unidentified entity shared a text file with roughly 6,000 email addresses from the organizations affected by the breach.
The hacker, in addition to having access to IRINN and APNIC databases, can access documents uploaded by IRINN users. The screenshots provided by the hacker revealed that he can access login details. And, possibly the most terrifying: the access obtained by the hacker likely allows for IP/ASN allocation. Potential fallout from this breach could be massive.
Some of the affected organizations or companies include the Unique Identification Authority of India, Defence Research and Development Organisation, Idea Telecom, Mastercard/Visa, State Bank of India, among many others. The teams reached out to IRINN and the breach was acknowledged, but they have not made a notice available to the public.