The telecommunications lifeline of Indian government ministries and departments was reportedly compromised following a breach of its sensitive data in May this year, bringing the spotlight to enormous security risks to public institutions and illegal online marketplaces that facilitate the trade of such data.
As many as 278 GB of Bharat Sanchar Network Limited (BSNL) data, including International Subscriber Mobile Identity (IMSI), SIM card details, Home Location Register (HLR) data, and critical security keys, were put on sale on BreachForums, the notorious site for data sale, on May 29.
The hacker later claimed on the Telegram app that he possessed 4 TB of the leaked data.
In 2020, the central government made it mandatory for all its ministries and departments to utilise the services of BSNL and its subsidiary Mahanagar Telephone Nigam Limited (MTNL).
A review of the sample data and the hacker’s post on BreachForums by India Today’s Open-Source Intelligence (OSINT) team suggests the breach includes call records of users – mainly government employees – such as phone call durations and data usage.
The ‘threat actor’ who refers to himself “kiberphant0m” on BreachForums said they were willing to sell the data to “anyone” including “state threat actors” – government-backed forces that primarily target enemy nations.
In a report, digital risk management firm Athenian Technology said the data could potentially be misused for SIM cloning and help commit crimes like extortion.
While the compromised data doesn’t directly expose a user’s phone number, it contains a critical identifier, the IMSI. The major threat to the leaked IMSI number could be used to track a user’s location or even potentially clone their SIM card for malicious purposes.
The main compromised database of 3.5 GB provides the snippet of Structured Query Language (SQL) code, likely used to create a database table and insert data.
Secret codes like PIN and authentication keys were also part of the leaked data, the sample claims.
MENACE OF BREACHFORUMS
This leak is one of the many that highlights how BreachForums has become a notorious platform for cybercriminals to distribute, trade, and monetise stolen data.
The platform was set up by 19-year-old Conor Brian Fitzpatrick, known as ‘pompompurin,’ in March 2022. It gained popularity when a threat actor named ‘USDOD’ claimed to have compromised a database containing the information of over 80,000 members of the US federal investigator FBI and information portal InfraGard in December that year.
Founder Fitzpatrick was arrested in New York in March 2023 and remains incarcerated. However, another hacker who calls himself “Baphomet”, later claimed the ownership of the forum and reopened it with his team of hackers known as ‘ShinyHunter.’
Baphomet was also arrested and BreachForums was briefly seized in a multi-nation operation led by the FBI on May 15 this year. However, it soon made a comeback with the ‘ShinyHunter’ group claiming responsibility for stealing data from over 500 million customers of event ticketing platform Ticketmaster.
Despite continuous seizure attempts by the law enforcement, BreachForums continues to operate with different administrators taking control.
“It is practically impossible to catch every threat actor posting such data on these platforms as their numbers are increasing by the day,” cybersecurity expert Prateek Dubey told India Today.
INDIAN DATA ON TARGET
BreachForums has been a primary destination for Indian data leaks.
In May 2023, hackers demanded a ransom from Rentomojo after accessing customer data. Simultaneously, data from 1.5 million Zivame customers appeared for sale on BreachForums at $500 in cryptocurrency, as reported by India Today earlier.
Recently, Accenture India also faced a breach, with hacker ‘888’ claiming contact details of 32,826 employees.
Earlier leaks of data belonging to BSNL, CERT-In (Computer Emergency Response Team), and Telangana Police website HawkEye are among the datasets that appeared on BreachForums.
Source Agencies