Phishing attack targets officials through rogue mail from govt ID
THE ATTACKS HIGHLIGHT THE CONSTANT THREAT FROM HACKERS, AND THE NEED FOR BETTER AUTHENTICATION PROTOCOLS, EXPERTS SAID
NEW DELHI: A number of senior government officials, including those from the ministries of defence and external affairs, were targeted in a phishing campaign earlier this month, with the attackers using compromised government domain email accounts to launch their hacking attempts, according to government officials and emails seen by HT.
The attacks highlight the constant threat from hackers, and the need for better authentication protocols, experts said. The National Informatics Centre (NIC) issued an alert soon after the attack, although it isn’t clear at this time whether any of the targeted computers were compromised.
The targets were senior officials from at least three internal government mailing lists, according to emails seen by HT. Attached with the mails these officials received were documents that, if clicked, would install a malware on the system of the targets, giving the hackers back-door access, potentially allowing complete spying on the targets.
Altogether, two emails were sent from @gov.in and @nic.in email addresses. “In both cases, GOI officials have been targeted through compromised email IDS of NIC (senders’ email domain: @gov.in and @nic.in) to make email users believe that these emails were genuine,” said an alert issued by at least one of the ministries that was affected. HT has reviewed a copy of the mail warning.
“The phishing emails were sent on February 10 to various officials across the ministries of external affairs and defence and others, with attached documents asking the recipients to click on the files. Soon after, NIC alerted the concerned branches of the potential security breach and notified all officials across ministries of the compromised emails,” said an official, who asked not to be named.
NIC runs the official email service for the government, handing out addresses with the two domain names. Employees and officers under Union and state governments as well as those in state-owned companies are eligible for accounts. The process to obtain one follows a multilayer verification system that requires approvals by designated NIC authorities attached with the ministries these employees work for or come under. HT could not immediately determine the total number of officials targeted, and if any computers were successfully breached. NIC, the Indian Computer Emergency Response Team (Cert-in), and the ministry of electronics and information technology (Meity) did not respond to questionnaires seeking details of those targeted, whether any systems were compromised and if investigations had been launched.
A cybersecurity analyst who has worked with the government on investigating cyber attacks said that such methods have been seen in the past, in particular during a campaign in 2008-2009. “Dormant accounts of NIC were used to launch attacks against several top government officials at the time,” this person said, asking not to be named. At the time, mails from a compromised government domain email address were sent to at least 450 top officials, including to accounts used by the then Prime Minister’s Office, the national security adviser, and the external affairs ministry. The analyst quoted above was part of the team that investigated the campaign.
“The latest attack seems very basic, but the attackers might have compromised one account using this technique and then gradually expanded their footprint,” added this person.