As per an article by The Ken, one particular hacker group has managed to compromise Indian government emails, including that of Ajay Prakash Sawhney, the secretary to the Ministry of Electronics and Information Technology (MeitY). This incident happened thrice between 7th-14th July 2021. Many of the recent attacks have been linked to groups like SideCopy, who are believed to have ties to Pakistan.
State-sponsored hacker groups are always on the hunt for various ways to cause havoc amongst geopolitical rivals. Obtaining critical data is the best possible outcome for these hackers, especially when the data belongs to government officials. The Ken has said that they have obtained information from sources “who work closely with the government on matters of cybersecurity”. The Indian government is known to use Zimbra, which is an open-source webmail service. According to the reports, the group downloaded a lot of documents after gaining access to Sawhney’s ‘briefcase’, which is a cloud storage feature in Zimbra.
Compromised Indian government emails – not the first time!
It has been reported that the Ministry of Home Affairs (MHA) has received several hundred phishing emails over the last two months alone. The main target of most of the emails was the MHA’s Indian Cybercrime Coordination Centre, also known as 14C. Almost all the emails came from at least 10-20 compromised government accounts.
After all these phishing attempts, the government did mandate all its functionaries to use Kavach, a 2-factor authentication system in an attempt to safeguard all officials from cyber threats. While the government’s hope for cyber-protection rests on the effectiveness of Kavach, hackers have already managed to breach it. As per the Ken article, normally when Kavach malfunctions, it stops responding to any authentication requests, meaning that officials will be denied access to their emails.
When Kavach fails, authorities are forced to disable it for a few hours before restoring access to the emails. In the brief window of opportunity, the hackers swept through the already compromised emails through phishing and other means. Three massive cyberattacks were reported on the 7th, 9th, and 14th of July where the unidentified hacker group got Kavach to malfunction, thus destabilizing the government’s email infrastructure.
This is also not the first time Kavach has been infiltrated. An instance where hackers built a fake version of Kavach included a trojan that stole information and sent it back to the hackers. Sources have informed Ken that there were even “neatly drafted emails” to download a fake Kavach app that was hosted on the Google Play store. Although the app has since been removed, the extent of misuse that Kavach has faced is alarming.
The aftermath of hacking Indian government emails
It has been suggested that these are some of the most sophisticated attacks faced by the National Informatics Centre (NIC). The NIC is a body under MeitY which manages the entire IT infrastructure and network of the government. Ken has stated that the impact of the attack is still unknown and can only be determined after serious investigations. The origin of the Kavach breach and the compromise of Sawhney’s email is yet to be determined.
It is also unclear how exactly the hacker group obtained Sawhney’s credentials, but it doesn’t come as a surprise due to the massive rise of cyberattacks on Indian government officials. In the last year alone, the number of phishing attacks where bad actors used fraudulent methods such as manipulated messages to steal information, especially targeting Indian government officials. Many such attacks are known to stem from compromised government emails.
“There was no indication of a breach in the mail service”the NIC’s response to a questionnaire by the Ken
The NIC has also not responded to Ken’s questions regarding the compromise of Sawhney’s email.