The websites of seven of India's embassies apparently were hacked and some data pertaining to Indian citizens leaked online by the attackers claiming responsibility. The hackers say they wanted to call attention to the sites' vulnerabilities.
See Also: Secure Access in a Hybrid IT World
Indian embassies in South Africa, Malawi, Switzerland, Libya, Mali, Romania and Italy apparently were breached, according to The Hacker News, the security research and media outlet that first reported the incidents after it was contacted by hackers going by the handles of Kapustkiy and Kasimierz.
Personal data on Indian citizens living abroad that was breached included names, home addresses, email, passport numbers and phone numbers, The Hacker News reports.
In an email to Information Security Media Group, individuals identifying themselves as the two hackers claim that they first tried to communicate with the website administrators to alert them to security holes, but upon receiving no response, they decided to post some of the data to pastebin.com to create awareness.
That data has since been removed, and all seven websites were functioning as of late Nov. 7 India time. However, a cached version could be found on Google. ISMG was unable to verify the authenticity of the data.
SQL Injection
An individual claiming to be the attacker Kapustkiy told ISMG via email that a simple SQL injection was used to gain access to the data.
The attackers claim to be teenage security researchers and say they were "shocked" that the websites for India's embassies contained vulnerabilities. The individual identifying himself as Kapustkiy told ISMG that the hackers posted the data so that the vulnerabilities would be investigated by the relevant authorities.
No Government Comment Yet
The director general of CERT-In declined to comment on the hacking incidents, saying that this was a matter for the Ministry of External Affairs to investigate. ISMG subsequently reached out to MEA's joint secretary level functionary in charge of technology and security, but did not immediately receive a response.
MEA spokesperson Vikas Swarup was quoted in news reports saying that the MEA was aware of the problem and it was being fixed.
The Hacker News founder and security researcher Mohit Kumar confirmed to ISMG that his research team was able to verify that SQL vulnerabilities existed on the embassy sites.
Security Shortcomings
"More than half of embassy domains are on shared hosting and there is no structured manner of ownership," says Dinesh Bareja, COO at OpenSecurity Alliance. Bareja is also founder of IndiaWatch, which has been researching the information security posture of Indian embassy websites since 2013. It found out through right-to-information requests that most embassy websites are being managed by contractors and security does not seem to be a priority, Bareja says.
"The domain names purchases are done in a piecemeal, commercial manner, and insecure practices in terms of defining ownership leave these sites vulnerable," he says. "The domain name pertaining to an Indian embassy should be considered sovereign property."
There is an ad hoc system in place to run these websites and the domain names are often owned by the contractor, he says. Because of shared hosting, it's easy to spoof the domains and email addresses, he claims.
APT Worries
Security expert and researcher, Balaji Venkateshwar believes that the bigger concern should be that Indian embassies could be vulnerable to advanced persistent threats.
"The APT menace should be the bigger concern and security at foreign offices needs to be heightened," he says. "While we are focusing on physical borders, no one is talking about these porous perimeters online."
The government must learn from the Wikileaks embassy cable leak incident and realize that every communication happening on electronic media is subject to surveillance, Venkateshwar says. "Extraordinary measures need to be put in place to protect embassies, and I am 100 percent confident that embassies don't have the right security posture for a national critical infrastructure," he says. "There is a huge potential here for embarrassing the nation."
Balaji believes one of the issues is the dependence on technology "point-in-time" solutions to solve security problems. "Unfortunately none of these solutions are indigenous and everything may have been compromised down to the hardware layer. Indigenous technology that will enable organizations to detect, respond and remediate such threats are the need of the hour," he says.