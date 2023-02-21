Mumbai: Shadow Hacker – the cyberpunk who allegedly breached the RailYatri server – said on Monday that the motive behind the operation was “political” and “it was a direct order from our government.”

Rail Yatri is an app authorised by the Indian Railway Catering and Tourism Corporation (IRCTC). It lets users book tickets, check their PNR status and view other information related to train travel in India.

In an exclusive interview with HT, Shadow Hacker said, “I am an operator in a government, I would like to keep more info for myself. I work for political reasons, nothing for money. Though I get paid, however, politics is the main push. It was not for personal use. We don’t have a big social media presence as our attacks are stealthy and under the table (sic).”

Apart from being involved with the government, Shadow Hacker went on to make several explosive claims. He said that 40% of their hacking was possible due to insider threats and log-in credentials were bought from Indian employees for as less as $400.

On Monday, HT reported that over 3.1 crore data points, which include names, email IDs, mobile numbers and locations of RailYatri users were put up for sale on Breached Forums – a dark web chat forum for hackers.

On Sunday, HT got in touch with Unit82, the hacker who had shared the post on Breached Forums and was subsequently directed to an entity using the display name ‘Shadow Hacker’.

Shadow Hacker referred to Unit82 as their partner and part of the team.

“One of my best teammates, a specialist in social engineering and leaking company databases, with over 10 years in this field. We have been active for more than 10 years, but we first appeared in the market in 2022,” Shadow Hacker said to HT.

He said that the leaked data was obtained through a concerted phishing campaign targeting the internal employees of RailYatri.

“We did a phishing campaign on all employees and managed to penetrate a system, escalated into the whole network. The initial access was via a phishing email. We gathered hundreds of employees and got access, after which we got their cookies from their browsers. It had an endpoint where the data was stored,” the hacker said, adding that he would not be revealing anything more about the attack.

He went on to claim that getting access from Indian employees was a very easy task for them.

“We gain 40% of access via employees. We pay them about $400 and they give us access. Believe it (sic),” he said, adding, “Expect anytime attacks (sic).”

Shadow Hacker, however, refused to answer questions about their nationality. While Unit82’s location in their bio says Israel and some of their messages were in Hebrew, Shadow Hacker remained non-committal about this.

‘Ready to share data for free’

A day after offering to sell the RailYatri data for $300, Unit82 on Monday morning contacted HT saying that they were making the data available for free and that they named the price ‘for fun’. While Unit82 has deleted all their previous messages from the Telegram conversation, HT has screenshots of the same.

In two messages in Hebrew sent on Monday, Unit82 said, “We do it for the good and not for the money. All these things are just to increase the confidence of various governments by exposing the facts.”

