For state-sponsored hacker groups, few scalps are as prized as top government officials of geopolitical rivals. Earlier this month, one hacker group caught the proverbial white whale. The Ken has learned that between 7-14 July, the group managed to compromise the email of Ajay Prakash Sawhney, the secretary of the Ministry of Electronics and Information Technology (MeitY).
According to sources who work closely with the government on matters of cybersecurity, the group proceeded to access and download documents from Sawhney’s ‘briefcase’—a cloud storage feature within Zimbra, the open source web mail service used by the government of India.
It appears hackers already had Sawhney’s email credentials. While it is unclear how they managed this, it shouldn’t come as a surprise. Over the past year, there has been an uptick in the number of phishing attacks—where bad actors use fraudulent or manipulated messages to steal information—on Indian government officials. In some cases, hackers cast a wide net hoping to compromise whoever they can. In other cases, hackers have used messages tailor-made to ensnare particular officials.
Many of these attacks stem from compromised government email handles. According to sources, the Ministry of Home Affairs (MHA) alone received several hundreds of phishing mails over the last two months. MHA’s Indian Cybercrime Coordination Centre, or I4C, was specifically targeted. Officials identified at least 10-20 government accounts which were used for phishing. The Ken has accessed multiple phishing mails originating from government email accounts.
This hasn’t gone unnoticed. Earlier this year, the government mandated that all its functionaries use a two-factor authentication (2FA) system, Kavach (Hindi for shield), to secure their email. But even as the Indian government pinned its cybersecurity hopes on Kavach, hackers have already managed to use it to wreak havoc.
The infiltration of Sawhney’s email came on the back of three massive cyberattacks—on 7, 9, and 14 July. In each instance, the unidentified hacker group destabilised the government’s email infrastructure, causing Kavach to malfunction.
When Kavach malfunctions, it stops responding to authentication requests, meaning users can’t access their email. Authorities had little choice but to disable Kavach for a few hours in order to restore email access. In this window, the hackers set to work sweeping through the email inboxes of accounts they had already compromised through phishing or other means.
It is believed that they also used 500 inactive accounts which they had already compromised to send phishing emails to a further 1,000 accounts each, a source told The Ken.
According to multiple sources, these are some of the most sophisticated attacks the National Informatics Centre (NIC)—which manages the entire network and IT infrastructure of the government—has ever faced. Shutting down Kavach servers on three separate occasions means hackers found three different vulnerabilities serious enough for it to be taken offline for a few hours.