- India’s NCIIPC was found to be plagued by numerous vulnerabilities by white-hat hackers.
- The group broke into NCIIPC’s server and accessed very sensitive information about citizens and government projects.
- Even though more than two weeks have passed since the findings were reported to the NCIIPC, no flaws have been fixed.
India’s National Critical Infrastructure Information Protection Centre (NCIIPC) has had one of its main servers accessed by the white-hacking collective known as ‘Sakura Samurai.’ The group didn’t attempt to inform the agency directly, fearing that their intentions may be misjudged, and so they reported their findings to the US Department of Defense Cyber Crime Center, which had a direct channel of communication with the NCIIPC. Eventually, the 34-page threat report compiled by the researchers reached NCIIPC on February 8, 2020, four days after the hack.
To this day, there have been no official announcements by NCIIPC to explain what remedial actions have been taken or what breach notification processes they followed or plan to follow. According to the ‘Sakura Samurai’ Twitter handle, nearly all of the critical vulnerabilities they found and exploited remain unpatched, even though more than two weeks have passed since NCIIPC was informed about them with full technical details and a comprehensive advisory on how to mitigate or address them.
The flaws found and the data accessed by the while-hat hackers include the following:
- 35 Separate Instances of Exposed Credential Pairs (Servers, Important Applications, etc.)
- 3 Instances of Sensitive File Disclosure
- 5 Exposed private-key pairs for servers
- 13K+ PII Records [and those are only the records that we were inadvertently exposed to]
- Dozens of Exposed Sensitive Police Reports
- Session Hijacking Chained via Multiple Vulnerabilities, resulting in the compromise of extremely sensitive government systems
- Remote Code Execution on a sensitive financial server; a server that contained large backups of Financial Records
The above details make it clear that the compromised server held very sensitive data, both on people and on entities, but also on government projects and operations that are meant to be kept out of the public sphere. Understandably, remote execution flaws take some time to fix as this often involves an upgrading process covering a large number of computers. However, resetting exposed credentials and circulating notices of a breach are matters that can be resolved quickly, but they still aren't.
Considering how sophisticated state-supported actors move against critical targets, one cannot afford to rely on indirect notices and then spend entire weeks just to plug a few obvious security holes. Especially now that the details about this otherwise well-intended breach are out, there’s no time to waste for the NCIIPC agents.
For exposed government employees and Indian citizens, let this be your unofficial notice and the tinder to light up your vigilance against scammers and crooks of all types. We don't know if anyone else other than 'Sakura Samurai' accessed the server, but we have contacted the team directly to question the presence of any evidence of that, so we will update this piece accordingly.
UPDATE 23 Feb:
When asked for comment, Jackson Henry, Robert Willis, Aubrey Cottle and John Jackson of the 'Sakura Samurai' team told us:
WHILE WE CAN'T IDENTIFY SPECIFIC INSTANCES OF THREAT ACTOR EXPLOITATION [MOSTLY BECAUSE WE AREN'T GOING TO PERFORM FORENSICS AND LOOK FOR EXFILTRATION] IT'S SAFE TO ASSUME THAT THE INDIAN GOVERNMENT IS PROBABLY ACTIVELY BEING EXPLOITED BY THREAT ACTORS BASED ON SOME OF THE EASE OF EXPLOITATION OF VARIOUS ATTACK VECTORS THAT WE IDENTIFIED ACROSS MULTIPLE SERVERS & APPLICATIONS. BEING THAT CHINA IS WELL-KNOWN ENEMY OF INDIA, AND CHINA HAS A PROMINENT APT STANCE, WE WOULDN'T DOUBT THAT INDIA IS BEING EXPLOITED. WE HAD MENTIONED THAT TO THE NSCS, AND THAT'S WHY I NOTED A SENSE OF URGENCY.