In the course of a recent phishing attack, several employees of various central ministries received mysterious emails including one from a government domain email address (nic.in) claiming an “internal hand” in General Bipin Rawat’s death. This is part of phishing attempts against central government officials through some compromised government domain email IDs (gov.in and nic.in), which are increasingly getting more targeted and sophisticated, The Indian Express has learnt.
The National Informatics Centre (NIC) runs the official email service, handing out email accounts to departments, ministries and public sector units of the central and state governments.
This latest round of cyber attempts was launched earlier this month following the deaths of Chief of Defence Staff General Bipin Rawat, his wife Madhulika Rawat and 11 others in the crash of an Indian Air Force helicopter near Coonoor in Tamil Nadu on December 8. Group Captain Varun Singh who was also aboard the helicopter succumbed to his injuries on December 15.
The phishing email with the subject, “Internal report: Gen Bipin Rawat’s incident-inside job”, reviewed by the Express, was sent to employees of a ministry department through a malicious email ID with the domain name nic.in. It asks the recipients to click a phishing link that claimed to be an internal report.
Another cyber attack bid was made through a compromised gov.in email ID targeting the central government employees in October soon after Prime Minister Narendra Modi’s September visit to the United States. This email, also reviewed by the Express, was sent with the subject, “Viral Video PM Narendra Modi slapped in USA Visit”, attempting to lure the recipients into clicking a link to view the so-called video. Soon afterwards, the NIC unit of the ministry concerned issued a security alert, telling the users not to open and click on the phishing emails from at least five such compromised email IDs.
Sources within the NIC and the Union Ministry of Electronics and Information Technology (MeitY) confirmed that the breaches in the servers were “discovered” last year, but insisted that it had now been “fixed”, and that the “situation was now under control”.
“The control of a server and mailing capacities went beyond our control sometime last year for a short time but was brought back immediately. It is impossible to gauge if it has been completely fixed. To control all such compromised emails, we will have to do a forensic audit which will require the server to be restarted. A clean slate will take no activities for one week, which is not possible,” a senior ministry official said.
The cyber attempts were first reported earlier this year in February when several senior govt officials, including from the external affairs and defence ministries, were targeted in a phishing campaign with the attackers using compromised government domain email IDs (@gov.in and nic.in) to launch their hacking attempts. The above two ministries then sent out alerts to their employees, warning about the use of two specific email addresses that belong to the official nic.in and gov.in domains run by the NIC.
One such attack via a compromised @gov.in email address targeted a group of 43 former officers of the army, navy and air force, who were part of the 56th course of the National Defence Academy (NDA), in February. Significantly, this is the same NDA batch to which all the current service chiefs belong to. The sender of this phishing email sought to lure the targeted officers into clicking on a purported invitation for a dinner, which would lead to a set of malware.
In another such cyber attack that seemed more sophisticated, an email using compromised government accounts targeted groups of officials, attempting to lure them into sharing their passwords on a page that mirrored the government’s official mail server sign-on website — an attack that could let the attackers gain access to sensitive credentials and files. The attack prompted the IT department to send out another alert the following day to large groups of officials.
In the wake of a string of targeted phishing attacks on officials via compromised government domain accounts, the NIC said it was planning to bring in security measures including multi-factor authentication for at least 3 lakh officials.
Sources in the NIC said it suspected several such government email addresses to have been sold on the “Dark Web”.
A senior IT ministry official did not rule out the possibility of “nation states” being involved in such targeted attempts. According to the official, an initial internal probe following the breach discovered the role of “specific countries” with capacity to carry out such attacks.
“When such attempts occur, it cannot be done by an individual actor, since it takes a lot of time and effort. Our investigations at this time are not complete yet,” the official said requesting anonymity.
Detailed questionnaires sent to the NIC and MeitY seeking details about these phishing attacks on central officials through compromised government domain IDs, their scale and damages caused by them did not yield any response so far. The NIC and the MeitY also did not respond to specific queries on whether they were aware of such phishing attempts.
“In regular phishing emails usually emails are sent without an agenda whereas in ‘Spear Phishing’, which could to be the case here, the mails are more contextual where the user would be interested and curious to click. Whether the emails are being sent through spoofing servers to mirror the domain name of Government ids or not there is actually very little that an organisation or the receiving party can do if it is happening from outside the servers…There are technologies and software like antispam etc, that can help mitigate the attack but the best thing you can do is make sure that the users are completely aware and avoid opening the mails,” said Pankit Desai, CEO and co-founder of cyber security firm Sequretek.
As part of its plan to track and control these phishing attempts, the IT ministry official said, the NIC had taken back its administrative controls from nearly all its teams engaged with different ministries. Any approvals for the creation of new email IDs or any changes to the server are thus done now only at the “headquarters”, the official said.
Earlier this month, Minister of State for IT Rajeev Chandrasekhar had, in a written reply to a question in the Rajya Sabha, said that the Indian Computer Emergency Response Team (Cert-In) observed and reported a total of 11.5 lakh and 12.1 lakh cybersecurity incidents during 2020 and 2021 (up to October) respectively. Of these, 54,314 and 32,736 incidents involved various government organisations in these two years, respectively.
To counter it, the Centre has also formulated a “Cyber Crisis Management Plan”, the Minister had then told the Upper House, adding that in case of any cybersecurity-related incident, the plan is used for “countering cyber-attacks and cyber terrorism for implementation by all Ministries/ Departments of Central Government, State Governments and their organizations and critical sectors”.
Earlier this month, PM Modi’s Twitter account was also “compromised” briefly. While the social media firm said as per its investigation, the account was not compromised due to any breach of Twitter’s systems but the Cert-In, the national nodal agency for monitoring cyber security incidents and threats, said it will reach out to Twitter and Google as part of its “full-scale investigation” into the hacking of the PM’s Twitter account.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.