Singapore and Tokyo based cybersecurity startup Cyfirma has evidence of malicious activities targeting Indian assets in the dark web -- defined as an encrypted subnetwork of the world wide web not indexed by any search engines to host illegal activities and conversations -- by a Pakistan-based hacking network called ‘IOK
In a report, which has been reviewed by TechCircle, Cyfirma claimed that its researchers witnessed increased activity in the hackers’ dark web communities on April 19, discussing plans to hack into a few large Indian companies who have made significant donations to PM CARES (Citizen Assistance and Relief in Emergency Situations), a fund set up by prime minister Narendra Modi to combat the Covid-19 pandemic.
The targeted companies identified from the hackers’ conversations included Adani, Tata Sons, JSW Group, Larsen and Toubro, ITC, Reliance, HUL, Paytm, LIC, HDFC and SBI.
“The data with the ministry is what they are targeting. PM Cares fund has attracted a lot of donations from Indian corporates. We noticed handlers in the UK and Pak saying we have a go ahead from our commander to attack Indian companies. Handlers claim that they have done their homework and are ready to launch an attack. Hackers don’t do so much reconnaissance usually,” Cyfirma founder and CEO Kumar Ritesh told TechCircle.
On April 23, the company ran into a second trend where the hackers’ discussion took on another strain -- data exfiltration, a tactic hackers usually resort to for reputational damages. The discussion drifted to Indian research on Covid-19 and had mentions of ICMR. “They seem to have found out a vulnerability in the web servers to launch an attack,” Ritesh said.
The campaign is believed to be fuelled by a state-sponsored hacker group called ‘IOK
The group conducted its conversations in Urdu. The objective of this cyberattack campaign, Cyfirma claims, is to deface websites, exfiltrate databases, and cause disruption to Indian society and businesses.
The company also claims to have analysed the hackers’ statements and correlated them against the IP addresses to confirm the attack mechanism and targets. In their attempts to hide their tracks, the hackers created a lookalike Onion URL which, on the surface, seems to point to a well-known hackers’ forum called ‘TORUM’.
A web search showed that Torum is a dark web forum to discuss cybersecurity crime tactics which has been in operation since May 2017.
The second layer of attack, Cyfirma’s researchers allege, involves taking down the Ministry of Health (MoHFW) website, which is publishing the latest data on Covid-19 patients. They want to inflate the number of cases with false data to trigger panic in India, the Cyfirma report added.
Ritesh pointed out that the attack is purely aimed at reputational damage and civic disruption and shows no intentions for money siphoning which is why it cannot confine to a specific timeline.
Cyfirma added that the company has already alerted the CERT-in (Indian Computer Emergency Response Team) and has received responses from MEITY’s nodal agency responsible for cyber security saying that the report will be reviewed and appropriate actions will be taken.
Cyfirma, a threat discovery and cyber intelligence company, powered by cloud-based AI and ML predictive analytics, has its headquarters in Singapore and Japan and was founded by Ritesh, a veteran intelligence officer who has formerly led the cyber intelligence unit for UK intelligence agencies.
The company raised an undisclosed amount in Series A funding round from Z3Partners, a Mumbai-based early-growth private equity fund in February this year.