India’s IT Protection Centre Compromised by ‘Sakura Samurai’ Hackers

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer
Source: Sakura Samurai

India’s National Critical Infrastructure Information Protection Centre (NCIIPC) has had one of its main servers accessed by the white-hacking collective known as ‘Sakura Samurai.’ The group didn’t attempt to inform the agency directly, fearing that their intentions may be misjudged, and so they reported their findings to the US Department of Defense Cyber Crime Center, which had a direct channel of communication with the NCIIPC. Eventually, the 34-page threat report compiled by the researchers reached NCIIPC on February 8, 2020, four days after the hack.

To this day, there have been no official announcements by NCIIPC to explain what remedial actions have been taken or what breach notification processes they followed or plan to follow. According to the ‘Sakura Samurai’ Twitter handle, nearly all of the critical vulnerabilities they found and exploited remain unpatched, even though more than two weeks have passed since NCIIPC was informed about them with full technical details and a comprehensive advisory on how to mitigate or address them.

https://twitter.com/LulzKart/status/1363239042020757507

The flaws found and the data accessed by the while-hat hackers include the following:

The above details make it clear that the compromised server held very sensitive data, both on people and on entities, but also on government projects and operations that are meant to be kept out of the public sphere. Understandably, remote execution flaws take some time to fix as this often involves an upgrading process covering a large number of computers. However, resetting exposed credentials and circulating notices of a breach are matters that can be resolved quickly, but they still aren't.

Considering how sophisticated state-supported actors move against critical targets, one cannot afford to rely on indirect notices and then spend entire weeks just to plug a few obvious security holes. Especially now that the details about this otherwise well-intended breach are out, there’s no time to waste for the NCIIPC agents.

For exposed government employees and Indian citizens, let this be your unofficial notice and the tinder to light up your vigilance against scammers and crooks of all types. We don't know if anyone else other than 'Sakura Samurai' accessed the server, but we have contacted the team directly to question the presence of any evidence of that, so we will update this piece accordingly.

UPDATE 23 Feb:

When asked for comment, Jackson Henry, Robert Willis, Aubrey Cottle and John Jackson of the 'Sakura Samurai' team told us:

WHILE WE CAN'T IDENTIFY SPECIFIC INSTANCES OF THREAT ACTOR EXPLOITATION [MOSTLY BECAUSE WE AREN'T GOING TO PERFORM FORENSICS AND LOOK FOR EXFILTRATION] IT'S SAFE TO ASSUME THAT THE INDIAN GOVERNMENT IS PROBABLY ACTIVELY BEING EXPLOITED BY THREAT ACTORS BASED ON SOME OF THE EASE OF EXPLOITATION OF VARIOUS ATTACK VECTORS THAT WE IDENTIFIED ACROSS MULTIPLE SERVERS & APPLICATIONS. BEING THAT CHINA IS WELL-KNOWN ENEMY OF INDIA, AND CHINA HAS A PROMINENT APT STANCE, WE WOULDN'T DOUBT THAT INDIA IS BEING EXPLOITED. WE HAD MENTIONED THAT TO THE NSCS, AND THAT'S WHY I NOTED A SENSE OF URGENCY.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: