Phishing attack targets Indian officials through rogue email from government ID
A number of senior government officials, including those from the ministries of defence and external affairs, were targeted in a phishing campaign earlier this month, with the attackers using compromised government domain email accounts to launch their hacking attempts, according to government officials and emails seen by HT.
The attacks highlight the constant threat from hackers, and the need for better authentication protocols, experts said. The National Informatics Centre (NIC) issued an alert soon after the attack, although it isn’t clear at this time whether any of the targeted computers were compromised.
The targets were senior officials from at least three internal government mailing lists, according to emails seen by HT. Attached with the mails these officials received were documents that, if clicked, would install a malware on the system of the targets, giving the hackers back-door access, potentially allowing complete spying on the targets.
Altogether, two emails were sent from @gov.in and @nic.in email addresses. “In both cases, GoI officials have been targeted through compromised email IDs of NIC (senders’ email domain: @gov.in and @nic.in) to make email users believe that these emails were genuine,” said an alert issued by at least one of the ministries that was affected. HT has reviewed a copy of the mail warning.
“The phishing emails were sent on February 10 to various officials across the ministries of external affairs and defence and others, with attached documents asking the recipients to click on the files. Soon after, NIC alerted the concerned branches of the potential security breach and notified all officials across ministries of the compromised emails,” said an official, who asked not to be named.
NIC runs the official email service for the government, handing out addresses with the two domain names. Employees and officers under Union and state governments as well as those in state-owned companies are eligible for accounts. The process to obtain one follows a multilayer verification system that requires approvals by designated NIC authorities attached with the ministries these employees work for or come under.
HT could not immediately determine the total number of officials targeted, and if any computers were successfully breached. NIC, the Indian Computer Emergency Response Team (Cert-IN), and the ministry of electronics and information technology (Meity) did not respond to questionnaires seeking details of those targeted, whether any systems were compromised and if investigations had been launched.
A cybersecurity analyst who has worked with the government on investigating cyber attacks said that such methods have been seen in the past, in particular during a campaign in 2008-2009. “Dormant accounts of NIC were used to launch attacks against several top government officials at the time,” this person said, asking not to be named.
At the time, mails from a compromised government domain email address were sent to at least 450 top officials, including to accounts used by the then Prime Minister’s Office, the national security adviser, and the external affairs ministry. The analyst quoted above was part of the team that investigated the campaign.
“The latest attack seems very basic, but the attackers might have compromised one account using this technique and then gradually expanded their footprint,” added this person, after reviewing available details of the attack at HT’s request. Only a technical analysis can reveal who is behind the attack, the person cited above said, since similar methods can be deployed by a wide variety of adversaries.
The campaign in 2008-2009, which lasted till late 2010, was suspected to have been carried out by hackers linked to China.
Such phishing campaigns are not novel, and most organisations now sensitise their employees to not respond to or interact with emails from people they don’t know. But using a government domain email address expands an attackers’ ability to target a wide range of senior officials since official email distribution lists often do not accept mails from outside organisations.
“Having access to a privileged email domain is always a great vector from an attacker’s perspective because this way, they are able to reach directly into the inbox of their targets and defeat filters that usually flag suspicious messages. This way, they can also chain attack, compromising one official after the other,” said Yash Kadakia, chief technology officer at Security Brigade, a cybersecurity firm that works with the government.
By using this technique, attackers can reach officials even if they are not aware of their exact address. “It gives the attacker that ability to choose targets based on a particular profile, whose email addresses they may not have. For example, a phishing mail can be targeted to a mailing list used by an operation’s divisions to reach people involved in such roles,” Kadakia said.
“The larger question to ask here is whether the government accounts were protected by two-factor authentication. An OTP (one-time password) for sign-in is one easy way to stop such attacks even if basic login credentials are compromised,” he added.