The login credentials and other confidential data of more than 6,000 Indian ISPs, government departments and private businesses were put up for sale on DarkNet, security researchers found. Seqrite Cyber Intelligence Labs and seQtree InfoServices discovered an advertisement on DarkNet allegedly selling access to the servers and database dump of an unspecified "internet registry", the Economic Times first reported.
The researchers identified the affected agency as India's National Internet Registry - Indian Registry for Internet Names and Numbers (IRINN) which falls under the National Internet Exchange of India (NIXI). The team said the hackers were selling the allegedly stolen data for 15 Bitcoins ($64,557, £48,676) or, for an unspecified amount, offered to take down one of the organisation's entire networks.
The threat actor claimed to have the ability to tamper with the IP allocation pool that could potentially result in a major outage and denial-of-service situation for users and organisations. Posing as a potential buyer, the research team contacted the threat actor and received a small sample of the email list from the reportedly compromised database.
"In the sample, the team noticed the email address of a prominent Indian technology firm and another email address was from Indian government," Seqrite said in a blog post. "Then the team asked for complete/extensive emails list. Eventually, the actor agreed to share a text file containing the emails of users/organisations affected, allegedly from the compromised database(s). The text file contained a list of approx. 6000 emails."
According to Seqrite, some of the organisations whose services could have been disrupted included the Unique Identification Authority of India (UIDAI), the Reserve Bank of India, the Indian Space Research Organisation (ISRO), various Indian state government portals, telecom giants Idea, Aircel and BSNL, the Bombay Stock Exchange, Mastercard/Visa, the State Bank of India, HDFC, ICICI Prudential Mutual Fund, and companies like Ernst & Young, Flipkart and Zoho.
Seqrite said it has notified the Indian government and the Asia Pacific Network Information Centre and "have got an acknowledgement that the issue has been taken care of".
In a statement to the Economic Times, NIXI described the threat actors' claims as "audacious" and said there was no "serious breach" of its IRINN system since it has a "robust security protocol in place".
"The hacker has no capacity to cause any damage or initiate distributed denial of service to any entity who has been allocated Internet resources through IRINN System," NIXI said. "There was an attempt to penetrate the system and hacker was able to collect some basic profile information of the contact persons of some of the affiliates which was displayed by him on the darknet.
"The existing security protocol of NIXI is robust and capable in countering such attacks. However, following this breach, security protocol has been further strengthened and review of existing infrastructure has also been initiated.
"We assure our affiliates and all concerned that our system is secured and security protocol in practice is capable of handling such attacks. The claim by the actor of DarkNet is audacious and far from truth."
IBTimes UK has reached out to Seqrite and the National Internet Exchange of India for comment.