No cyber breach in NIC email system, Parliament told
There was no breach in the government’s official email system maintained by the National Informatics Centre (NIC), the Union ministry of electronics and information technology told parliament last week, in a stand that appeared to contradict several cybersecurity incidents in the past year.
In February, HT reported on a series of phishing mails by attackers who gained access to NIC domain email addresses, triggering multiple advisories by different government IT departments warning officials against opening attachments or links contained within them. HT is aware of at least two people – former defence ministry officials – whose devices were hacked at the time.
“No,” the ministry said in response to a question by a Lok Sabha member who asked to know “whether there was a cyber security breach into the e-mail system of Government maintained by National Informatics Centre (NIC) in the recent past.”
The response, by Union minister of state for the IT ministry Rajeev Chandrashekhar, also added: “The email system is equipped with a defense-in-depth security architecture with a layered security approach. All incoming mails are scanned for the presence of any malware, spam, phishing, spoofing, sender reputation etc. In addition to the above, network level firewall, application level firewall. Intrusion Prevention System etc. are deployed…”
“In order to enhance the security of email accounts, National Informatics Centre (NIC) has implemented geo-fencing. This allows access to the users email account only from the country where the user is physically present,” the minister added.
The government also added that it had made multi-factor user authentication “mandatory for email access and is being rolled out for email users to strengthen the email account security”. Multi-factor user authentication refers to a second requirement, usually a one-time password, for someone to access an email service in addition to their password.
Altogether, HT is aware of at least six NIC domain addresses – five with @gov.in addresses and one with @nic.in, which have been used to send out phishing emails, prodding users to download attachments or click on links that could ultimately compromise their devices.
A number of senior government officials, including those from the ministries of defence and external affairs, received this emails, some of the recipients confirmed to HT at the time.
NIC, which runs the official email service for the government, at the time clarified that the compromised emails were blocked immediately and no breach or loss of data was reported.
Experts said the multi-factor authentication in a system such as NIC’s may not make it fool-proof and that the reply does not take into acknowledge the magnitude of cybersecurity challenges. “NIC.IN domain, like every other email service, uses the SMTP protocol, which does not support 2FA (two-factor authentication), and is a known problem across every other email service. 2FA hence only provides some protection against web logins from automated attacks and do not prevent SMTP access,” said Anand Venkatanarayanan, cybersecurity strategy advisor to DeepStrat.
Such vulnerabilities, he added, “allows compromised credentials (harvested from elsewhere) to send more malware to others, thus creating a chain of compromise, extending to everyone in the NIC domain”.
“At that point in time, it is equivalent to compromising the entire domain, which the reply does not consider.
“This is worrying because defence at depth, layered security etc are not disconnected from human errors and malware writers know how to evade firewalls, bypassing them via human channels,” he said.