Comprehensive Overview of Cyber Attacks in India (January - July 2024)

Introduction

The cybersecurity landscape in India has experienced a dramatic shift in the first half of 2024, with a sharp increase in cyber attacks targeting various sectors across the nation. As digital threats evolve and become more sophisticated, organizations across India find themselves increasingly vulnerable. Leveraging data from FalconFeeds.io, this blog explores the most pressing cyber threats and trends that have emerged during this period. Through a detailed analysis of incidents categorized into Data Breach, Data Leak, Ransomware, and Access Sale/Leak, we aim to shed light on the key areas of concern and the sectors most impacted by these relentless attacks.

According to data from FalconFeeds.io, a total of 593 cyber incidents were reported, comprising:

• 388 incidents of data breaches
• 107 incidents of data leaks
• 39 ransomware group activities
• 59 cases of access sale or leak.

Cyber Attack Trends and Their Implications

Prevalence of Data Breaches and Data Leaks:

• Data Breaches: The most common type of cyber attack, indicating that many organizations lack robust data protection measures. Sensitive information remains highly vulnerable to unauthorized access and exposure.
• Data Leaks: Follow closely behind data breaches, further highlighting the need for improved data security practices.

Impact of Ransomware Attacks:

• Ransomware: Although fewer in number, these attacks are highly disruptive. They often result in significant financial losses and operational downtime, posing severe threats to organizations.

Underground Market for Access Credentials:

Sale and Leak of Access Credentials: The thriving underground market for unauthorized access to corporate and government networks underscores the importance of:

• Strong Access Control Measures: Ensuring only authorized individuals have access to sensitive information.
• Regular Monitoring: Keeping a close watch on access attempts and activities within the network.
• Swift Response to Unauthorized Access Attempts: Quickly addressing any breaches or attempts to ensure minimal impact.

Monthly Breakdown

From March to April, there was a marked increase in cyber incidents, peaking in May, followed by a slight decrease in June and a more notable drop in July. This surge in activity coincided with the Indian General Elections from April 19 to June 1, 2024, highlighting the opportunistic behavior of threat actors who exploit periods of heightened national activity.

This trend underscores the critical need for robust cybersecurity measures during significant events. Organizations must implement proactive strategies, continuous monitoring, and adaptive response plans to mitigate risks. The spike during the election period serves as a reminder for heightened vigilance against evolving cyber threats.

Platform-wise Breakdown

Most Active Platforms:

• Breach Forum: The leading platform for posting data breaches and access related to Indian companies. It remains the most active hub for such activities.
• Telegram: Widely used by hacktivists and threat actors to share attack information and coordinate activities.

Moderately Active Platforms:

• Xss, Exploit, and Leakbase: These hacker forums are notable for posting access sales and leaks concerning Indian organizations, maintaining a steady level of activity.

Least Active Platforms:

• Onniforums, Ramp, and Dark Forums: These platforms show minimal activity related to the posting of data breaches or access sales.

Ransomware Group Activity

The ransomware landscape in India has seen significant activity from various groups, with the LOCKBIT 3.0 ransomware group being the most active, affecting the largest number of Indian organizations. Alongside LOCKBIT 3.0, DARKVAULT and BianLian have also demonstrated considerable activity, posing significant threats to businesses and institutions.

Other groups such as Kill Security and RansomHub have maintained a moderate presence, indicating ongoing but less frequent attacks. Additionally, groups like Abyss, CL0P, MALLOX, Snatch, and STORMOUS, although less active, continue to be notable players in the ransomware scene.

This diverse and dynamic ransomware landscape highlights the need for continuous monitoring and adaptive security measures for Indian companies. The presence of incidents across various platforms suggests that threat actors are utilizing a range of forums to disseminate breached data. This diversification requires broad monitoring across multiple channels to effectively track and mitigate threats.

Industry Impact

Most Impacted Industry: Education & Research

The Education & Research sector experienced the highest number of cyber incidents, making it the most impacted industry. Following closely were the Government & Public Sector and Technology & IT Services, which also faced a significant number of attacks.

Other sectors such as Financial Services, Manufacturing & Industrial, and Healthcare experienced substantial activity, highlighting their vulnerability to cyber threats. Business & Professional Services, Consumer Services & Goods, and Telecom sectors faced moderate levels of attacks, indicating a widespread risk across various industries.

While industries such as Building & Construction, Energy & Utilities, Social Organizations, and Transport & Logistics reported fewer incidents, the data underscores that no sector is entirely safe from cyber threats.

Government Impact

From January to June 2024, the government and public sector in India emerged as the second most targeted by cyber attacks, with a total of 71 victims. These included various military, defense, law enforcement, and government departments from states and union territories. The surge in cyber attacks coincided with the Indian General Election, held from April 19 to June 1, 2024, during which there was increased activity in ransomware, breach forums, and on Telegram.

The affected regions spanned across the country, including Andhra Pradesh, Bihar, Haryana, Karnataka, Kerala, Ladakh, Maharashtra, New Delhi, Odisha, Punjab, Tamil Nadu, Telangana, Uttar Pradesh, and West Bengal.

Notable Incident Highlights

1. Eicher Motors Limited (July 4, 2024): Listed as a victim on LockBit ransomware group's dark web portal.
2. National Disaster Management Authority volunteers data (June 25, 2024): 93K lines containing information like name, gender, blood group, DOB, email, address, etc.
3. Telangana State Police SMS service (June 6, 2024): Access to the portal of the Telangana state police to send messages to government employees or any citizen in India.
4. Telangana State Police's Online Portal (June 5, 2024): Includes details on offenders, rowdy sheeters, PD Act violators, gun licenses, important contacts, election reports, user information, and police station records.
5. Government Of Tamil Nadu Labour Department (June 5, 2024): Over 2 million records containing names, mobile numbers, genders, dates of birth, addresses, emails, and other information were compromised. Previously, on November 2, 2023, and November 28, 2023, vendors were found selling server access to the Tamil Nadu Labour Department portal.
6. Hawk Eye Application (May 30, 2024): Breached by the same threat actor who accessed the Telangana State Police's Online Portal and Telangana state police SMS service. The breach includes sensitive information such as anonymous user details, email addresses, names, phone numbers, physical addresses, location coordinates, phone IMEI numbers, and alert coordinates.
7. LockBit 3.0 adds multiple Indian organizations as victims (May 9, 2024): Indian Institute of Technology–Madras, De Penning & De Penning, Tega Industries, Vinati Organics, Livia Polymer Products, Hetero, Vikrant Group, Double Horse, and VStar.
8. Tamil Nadu police facial recognition portal (May 03, 2024): 800,000 lines of data containing FIR information, FIR number, date, details of involved parties, physical addresses, and contact details of police officers.
9. Boat Lifestyle (April 5, 2024): 7.55 million customer data containing names, emails, addresses, phone numbers, etc.
10. Bira 91 (March 22, 2024): Listed as a victim in BianLian ransomware group's dark web portal with 1.9TB of claimed data.
11. Motilal Oswal (Feb 13, 2024): Listed as a victim in LockBit ransomware group's dark web portal.

Mitigations and Recommendations

To mitigate the risks posed by these cyber threats, organizations should implement the following strategies:

1. Regular Security Audits: Conduct thorough and regular security audits to identify and address vulnerabilities. Ensure that all software and systems are up to date with the latest patches to prevent exploitation of known vulnerabilities.
2. Employee Training: Educate employees about phishing, social engineering, and other common attack vectors. Regular training sessions can help employees recognize and avoid potential threats.
3. Data Encryption: Ensure sensitive data is encrypted both at rest and in transit. This helps protect data from being accessed by unauthorized parties, even if it is intercepted or stolen.
4. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security for accessing systems and data. This can significantly reduce the risk of unauthorized access.
5. Incident Response Plan: Develop and regularly update an incident response plan to quickly address any breaches or leaks. This should include steps for containment, eradication, and recovery, as well as communication plans for notifying affected parties.
6. Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay informed about the latest threats and attack methods. Sharing information with peers and industry groups can help organizations stay ahead of emerging threats.
7. Network Segmentation: Implement network segmentation to limit the spread of malware and restrict unauthorized access to sensitive data. By isolating critical systems and data, organizations can reduce the potential impact of a breach.
8. Backup and Recovery: Regularly back up critical data and ensure that backup systems are secure and tested. In the event of a ransomware attack or data loss, having reliable backups can facilitate quick recovery.
9. Monitoring and Detection: Implement advanced monitoring and detection tools to identify and respond to suspicious activities in real time. Continuous monitoring of networks, systems, and endpoints can help detect and mitigate threats before they cause significant damage.

Conclusion

The cyber attack landscape in India from January to July 2024, as analyzed using data from FalconFeeds.io, serves as a stark reminder of the importance of robust cybersecurity measures. By staying vigilant and adopting best practices, organizations can better protect themselves against the evolving threats that continue to challenge the security of their systems and data. Leveraging threat intelligence platforms like FalconFeeds.io can provide critical insights and help organizations stay ahead of emerging threats.