Governance & Risk Management , Incident & Breach Response , Privacy

7 Indian Embassy Websites Apparently Breached

Hackers Claim They Wanted to Call Attention to Security Vulnerabilities
7 Indian Embassy Websites Apparently Breached

The websites of seven of India's embassies apparently were hacked and some data pertaining to Indian citizens leaked online by the attackers claiming responsibility. The hackers say they wanted to call attention to the sites' vulnerabilities.

See Also: Privacy & Security: Finding the Balance

Indian embassies in South Africa, Malawi, Switzerland, Libya, Mali, Romania and Italy apparently were breached, according to The Hacker News, the security research and media outlet that first reported the incidents after it was contacted by hackers going by the handles of Kapustkiy and Kasimierz.

Personal data on Indian citizens living abroad that was breached included names, home addresses, email, passport numbers and phone numbers, The Hacker News reports.

In an email to Information Security Media Group, individuals identifying themselves as the two hackers claim that they first tried to communicate with the website administrators to alert them to security holes, but upon receiving no response, they decided to post some of the data to pastebin.com to create awareness.

That data has since been removed, and all seven websites were functioning as of late Nov. 7 India time. However, a cached version could be found on Google. ISMG was unable to verify the authenticity of the data.

SQL Injection

An individual claiming to be the attacker Kapustkiy told ISMG via email that a simple SQL injection was used to gain access to the data.

The attackers claim to be teenage security researchers and say they were "shocked" that the websites for India's embassies contained vulnerabilities. The individual identifying himself as Kapustkiy told ISMG that the hackers posted the data so that the vulnerabilities would be investigated by the relevant authorities.

No Government Comment Yet

The director general of CERT-In declined to comment on the hacking incidents, saying that this was a matter for the Ministry of External Affairs to investigate. ISMG subsequently reached out to MEA's joint secretary level functionary in charge of technology and security, but did not immediately receive a response.

MEA spokesperson Vikas Swarup was quoted in news reports saying that the MEA was aware of the problem and it was being fixed.

The Hacker News founder and security researcher Mohit Kumar confirmed to ISMG that his research team was able to verify that SQL vulnerabilities existed on the embassy sites.

Security Shortcomings

"More than half of embassy domains are on shared hosting and there is no structured manner of ownership," says Dinesh Bareja, COO at OpenSecurity Alliance. Bareja is also founder of IndiaWatch, which has been researching the information security posture of Indian embassy websites since 2013. It found out through right-to-information requests that most embassy websites are being managed by contractors and security does not seem to be a priority, Bareja says.

"The domain names purchases are done in a piecemeal, commercial manner, and insecure practices in terms of defining ownership leave these sites vulnerable," he says. "The domain name pertaining to an Indian embassy should be considered sovereign property."

There is an ad hoc system in place to run these websites and the domain names are often owned by the contractor, he says. Because of shared hosting, it's easy to spoof the domains and email addresses, he claims.

APT Worries

Security expert and researcher, Balaji Venkateshwar believes that the bigger concern should be that Indian embassies could be vulnerable to advanced persistent threats.

"The APT menace should be the bigger concern and security at foreign offices needs to be heightened," he says. "While we are focusing on physical borders, no one is talking about these porous perimeters online."

The government must learn from the Wikileaks embassy cable leak incident and realize that every communication happening on electronic media is subject to surveillance, Venkateshwar says. "Extraordinary measures need to be put in place to protect embassies, and I am 100 percent confident that embassies don't have the right security posture for a national critical infrastructure," he says. "There is a huge potential here for embarrassing the nation."

Balaji believes one of the issues is the dependence on technology "point-in-time" solutions to solve security problems. "Unfortunately none of these solutions are indigenous and everything may have been compromised down to the hardware layer. Indigenous technology that will enable organizations to detect, respond and remediate such threats are the need of the hour," he says.


About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.