The Hacking of NIC Servers/Computers of MeitY, Govt. of India - The Case Study (E-Mail Spoofing & Phishing Attack)

 The Cyber Attack: Use of E-Mail Spoofing and Phishing Techniques

Background:-

Recently there was news that a major security breach was recorded at the National Informatics Centre (NIC), Delhi which manages the security of the country's critical cyber infrastructure and the Ministry of Electronics and Information Technology (MeitY). According to police sources, over 100 computers containing important data related to the national security and the VVIPs were compromised following the security breach. The NIC falls under the MeitY, which manages the information and communications technology (ICT) for the government, implements the national and state level e-governance projects, offers consultancy services to various departments of government, conducts development, research and capacity building.(Source:- https://thelogicalindian.com/technology/security-of-government-computers-breached-23816)

Introduction:-

Cyber attacks using network vulnerability is no new phenomenon in the Cyber World. The entire globe is now largely dependent on Internet and Digital platforms for various activities like internet banking, e- commerce, educational purposes, social networking (Facebook, Whatsapp, Twitter etc.) and is saving time, money and resources.

However, in the post COVID era, most of the government organisations across the world are using digital platforms like e-offices, e-meetings, e-transactions (Salary, Vendor Payments etc.). While using internet as a platform appropriate security measures like Firewalls, Secure Sockets (SSL), Proxy Servers etc. are frequently being used by organisations to assure safe communication and networking. However, the basic vulnerability of this infrastructure is that the Intranet (internal network of the organisation) is connected with users, official etc. through the Internet. Therefore, any hacker or attacker can try to communicate to the internal network of the organisation through means of deception and gain access to computer resources/data.

There are instances when we send/receive e-mails to/from different domains outside our organisation. Fraudsters and Hackers are utilizing this as a potential vulnerability in the system to allure people using phishing e-mails  to force people divulge information or to click a particular link and help attackers gain the system access or compromise the computer system causing loss of data or for obtaining sensitive information from a company/organisation which may be corporate or government.

Techniques/ Modus-Operandi used in these type of attacks mainly comprise of  E-mail Spoofing or Phishing Attack or both. Lets first discuss these two types of attacks:-

1. Spoofing: Spoofing is a broad term for the type of cyber attack that involves a cyber criminal masquerading (or pretending ) as a trusted user or device to fool the target person or company staffer to help provide some information beneficial to the hacker — and detrimental to the target.

2. Phishing Attack: Phishing is a way of social engineering attack often used to steal user data, including login credentials and credit card numbers, sensitive defense or national security related information, masquerading as a trusted entity. This is done by tricking the target person to force open an email, instant message, or text message The e-mail/text message etc. used is mostly a spoofed e-mail/message giving an impression to the target person that it is coming from a trusted source/person and is a legitimate in nature.

Case Study:

(I) A spoofed e-mail as follows may be send to employees of an organisation (corporate or government) to reveal all their personal information such as social networking site IDs from where further information can be gained and user profiling of the person can be done to predict the interest/behavior of the person and his association with other potential targets :-

Analysis: As can be seen, that the sender pretends to send the mail from Cyber and Data Security (CDS) Division but actually the e-mail ID is from wrong domain. Further, the sender has provided the actual link to the CERT-IN website so that if the target employee clicks it, he may reach to the actual website and be assured that it is a legitimate mail coming from a legitimate sender/department.

(II) A spoofed e-mail as follows could be sent to employees of an organisation (corporate or government) to click on or open an malicious attachment containing some virus, trojan etc which may be installed in the computer of the target employee and  information can be gained or important data can be compromised or deleted :-

Analysis: As can be seen, that the sender pretends to be a trusted person known to the employee (Corporate/Government) but actually the e-mail ID is from wrong domain i.e. not from the company domain. But mails from senior officers of an organization are opened in haste by staffers to see if something urgent has been mail to them which requires immediate attention. The employee often ignores the fact that there is a Caution which states that this mail is from outside organisation.

Thus, once the e-mail attachment is opened, a malicious software, Virus/Trojan etc. will be installed inside the target computer/server and may even infect the associated networked computers and servers which may lead to compromise of data or loss of data. Sometimes this may even not be know to the individual or organisation or may be spotted when enough damage has already been done.

General Guidelines to spot the Phishing/Spoofing Mails:-

Please pay attention to the following guidelines/points when evaluating an email to determine if it a phishing scam. Generic greetings, typos and poor grammar are good but not fool proof indicators of fraud. Other indicators include:

 ü  The 'From' name doesn't match the sending email address.

              Example:  "RAKESH JAIN<example@gmail.com>”

ü  PORTION OF THE EMAIL ARE IN CAPITAL LETTERS.

ü  There are threats, dire warnings and time constraints.

Example: "Your account will be blocked if you do not click the link below in the next 48 hours."

ü  The email is signed with a generic closing.

Example: "Admin Team, HelpDesk, Customer Support”

ü  The sender's email address doesn't match the domain or organization the email purports to be.

Example: “From: CERT-IN Admin Team <example@gamil.com>”

ü  Immature requests from large legitimate organization - such organization would not ask you to help rebuild or confirm their database of customers.

ü  Mismatched links in the email.

ü  Contact from a group that doesn't actually exist at organization. If IT support related emails comes from 'IT Support' but you receive a request from 'HelpDesk'.

ü  Direct request for a username and password.

ü  A link in the email appears to point to a legitimate site but when hovered over or clicked, brings you to a completely different website.

ü  An email from a business or organization that you have no relationship with.

ü  Trust your instincts - If you think something isn't right, do not respond to or perform any action being requested in that email.

Concluding Remarks: Rather than being over confident on the System Security or Network Security of the organisation, the managers/employees should be trained and made aware of the criticality of data of the organisation. They should be well informed of the different types of Cyber attacks and should report any such suspicious mail immediately to Security Track or Security Group of the organisation for further necessary response/action like blacklisting the email sender/IP/domain or to take legal recourse as deemed fit. Also, random security audits should be conducted to find the awareness level of the employees so that potential security breaches may be avoided due to carelessness or ignorance of employees.

Blog Written by:- Sameer