Ex-defence personnel hit by phishing attack

The devices of multiple former defence personnel may have been compromised in a phishing attack launched through a government domain email address, according to technical evidence accessed by HT and disclosures by some of the victims, the latest in a string of attacks that have exploited privileged @gov.in and @nic.in email addresses.

The new attack, which was through an email from an @gov.in address sent on Thursday afternoon, targeted a group of 43 former officers of the army, navy and air force who were part of the 56th course of the National Defence Academy. The sender lured some of them into clicking on a purported invitation for a dinner, which led to a set of malware.

“Some 15-20 people said in our WhatsApp group that they had clicked on the link and were honest about it,” said one of the 43 people, who asked not to be named. Two other persons who clicked on the links themselves told HT that they had, and found suspicious files being downloaded.

HT reported on Thursday that at least two government ministries — external affairs and defence — have sent out alerts this month to their employees, warning about the use of two specific email addresses that belong to the official nic.in and gov.in domains run by the National Informatics Centre (NIC). NIC runs the official email service, handing out accounts to departments, ministries and public sector units run by state and central governments.

Also read: US still unraveling 'sophisticated' hack of 9 government agencies

The people targeted on Thursday said they were not sure how their details may have leaked. One of the people HT spoke to said the 56th course alumni included some people who were also in senior positions in private companies. The three services chiefs, general MM Naravane, admiral Karambir Singh and air chief marshal Rakesh Kumar Singh Bhadauria too belong to the same NDA batch, although their email addresses were not among those targeted.

If accessed through a mobile phone, the link that was sent in the latest attempt prompts users to install a malware disguised as an app for armed forces personnel. In the background, the programme links up with a ‘command and control’ server, and begins uploading any data — photos, documents, audio and video files — stored on the device.

“It also sends WhatsApp files and documents and activates the microphone, records calls and uploads those as well as calls logs,” said Yash Kadakia, the founder of Security Brigade, after he and his team analysed the link and the malware at HT’s request. Kadakia said the malware appeared to only target Android phones, although another set of engineers HT reached out to said people who visited the link using a desktop computer too would be compromised, with anything they type being recorded.

“This malware appears to be new and tailor-made for targets who are associated with the Indian military. None of the commercially available anti-malware products appears to flag it as yet,” Kadakia said, explaining that this was likely to be the first time this hacking tool was spotted in the wild.

On Friday, a government official who asked not to be named said a third alert has been issued about a separate compromised @gov.in email address. It is not yet clear how these email addresses have been breached, and how many more there may be. Altogether, HT is aware of four NIC domain addresses – three with @gov.in suffixes and the fourth an @nic.in one – which are not being disclosed in order to protect any investigations there may be.

When contacted by HT, NIC said phishing attacks “originate from spoofed or compromised accounts,” without responding directly to the specific cases. “State-of-the-art Security controls and measures are deployed to detect and mitigate phishing attacks at NIC. Additional measures such as mandatory multifactor authentication are being deployed to mitigate unauthorised access to user email,” it said in a statement.

“Security measures for authentication of senders to avoid spoofing and to block malicious emails are deployed as per global best practices in NIC / government networks,” it said, adding that security measures “are continuously reviewed and steps are taken to mitigate emerging cyber-attacks”.

The Indian Computer Emergency Response Team (Cert-IN), which investigates incidents of cyber breaches, did not respond to requests for a comment.

Two senior officials involved with the country’s cyber security said such attacks are not new or uncommon. “No government data has been compromised since sensitive systems are sequestered,” said one of these officials.

The second person added that these incidents are the result of poor cyber hygiene and people fall victims to such methods the world over.

The use of compromised government domain accounts also offers hackers the ability to appear more authentic to their targets and bypass system filters that typically divert suspicious emails to junk folders or label them as risky.

“Any attack impersonating a government official is worrying. There is a greater chance that someone will click on a link that looks like it came from an official, increasing the likelihood of such campaigns being successful,” said Gunjan Chawla, programme manager, technology and national security, at Centre for Communication Governance, National Law University Delhi. “Such attacks also risk undermining trust in government’s digital infrastructure,” she added.