Seqrite Cyber Intelligence Labs reports breach at IRINN affecting over 6000 Indian organizations

 In what could be the biggest breach affecting Indian organizations, Seqrite Cyber Intelligence Labs along with its partner seQtree Info Services has tracked an advertisement on Dark Net announcing secret access to the servers and database dump of over 6000 Indian businesses – ISPs, Government and private organisations. The hacker has priced the information at 15 Bitcoins and is offering network take down of affected organizations for an unspecified amount.

Following a detailed investigation, researchers at Seqrite Cyber Intelligence Labs and seQtree InfoServices identified the affected organization as India’s National Internet Registry: IRINN (Indian Registry for Internet Names and Numbers) which comes under National Internet Exchange of India (NIXI). As a precautionary measure, Seqrite Intelligence Labs has reached out to Government authorities and Asia Pacific Network Information Centre (APNIC) with a strong recommendation to alert all potentially affected organisations and urge them to change passwords and get their servers and systems patched with latest updates.

Seqrite Cyber Intelligence Labs is the DarkNet monitoring division of Seqrite, the enterprise security solutions brand of Quick Heal Technologies Limited.

According to the researchers, the seller claims to have the ability to tamper the IP allocation pool, which could result in a serious outage or Denial of Service (DoS) like condition. This could impact various CDN and hosting providers as well. If the hacker gets an interested buyer, then an attack on the system could disrupt Internet IP allocation and affect Internet services in India.Along with the access, the hacker is also selling credentials, PII and various contractual business documents and claims to have access to a large database of Asia Pacific Network Information Centre (APNIC).

Here is the detailed sequence of events related to this compromise:

  • After noticing the broadcast advertisement, Seqrite and seQtree teamsstarted gathering background research on the actor but did not yield any concrete information.
  • Later, it appeared that this actor’s persona was created recently. This is an ongoing trend that the team has noticed with recent data breaches.
  • The team then contacted the actor for further details, posing as an interested buyer. Initially the actor was not willing to disclose the name of affected Internet Registry, however, later he agreed to share a small sample of email list from the allegedly compromised database.
  • In the sample, the team noticed email address of a prominent Indian technology firm and another email address was from Indian government. Then the team asked for complete/extensive emails list.
  • Eventually, the actor agreed to share a text file containing the emails of users/organizations affected, allegedly from the compromised database(s). The text file contained a list of approx. 6000 emails.
  • It was observed some of the most important and high-profile organizations featured in the list. At this point, the team first thought the possibility of the affected organization being India’s National Internet Registry: IRINN (Indian Registry for Internet Names and Numbers) which comes under NIXI.
  • To confirm our suspicion, we probed the actor further. The actor agreed to share screenshots which confirmed our suspicion that the compromise/breach is, unfortunately true and IRINN is the affected organization.
  • The actor also hinted on the chat that if he doesn’t find any interested buyer, actor will consider posting this on Darknet forum(s)/marketplace(s).
  • If the hacker gets an interested buyer, then an attack on the system could disrupt Internet IP allocation and in-turn affect Internet services in India.
You can leave a response, or trackback from your own site.

Leave a Reply