With the development of technology, modern computer-assisted and Internet crimes have been increasing all this while, and there is a need to further investigate the current status of cyber crime and computer forensics in the region. India is one of the fastest growing countries in the Asia in terms of communications technologies such as the Internet and mobile phones.
Tata Power is India’s Largest Integrated Power Company, present across the entire power value chain of conventional & renewable energy, power services and next-generation customer solutions including solar rooftop and EV charging stations and home automation. Being a multi national company attracts lot of unwanted attention and involves security risks by hackers.
Tata Power has been facing attacks on its SCADA system and its website a lot lately but on October of 3rd, 2022 a presence of something different was observed on their network.
On October 14, Tata Power disclosed that its Information Technology infrastructure had been hit by a cyber attack and some of its systems were affected as a result of it. In a Bombay Stock Exchange filing, the Mumbai-headquartered company said all critical operational systems were functioning and it had “taken steps to retrieve and restore its systems.”
Who Was behind the attack ?
The Hive ransomware-as-a-service (RaaS) group has claimed responsibility for a cyber attack against Tata Power that was disclosed by the company less than two weeks ago. The threat actor has also been observed leaking stolen data exfiltrated prior to encrypting the network as part of its double extortion scheme
Information about HIVE
The operators of the Hive ransomware-as-a-service (RaaS) scheme have overhauled their file-encrypting software to fully migrate to Rust and adopt a more sophisticated encryption method. Hive, which was first observed in June 2021, has emerged as one of the most prolific RaaS groups, accounting for 17 attacks in the month of May 2022 alone, alongside Black Basta and Conti.
Source: TheHackerNews
Hive is no different from other ransomware families in that it deletes backups to prevent recovery, but what’s changed significantly in the new Rust-based variant is its approach to file encryption.
“Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension,” MSTIC explained
What files were compromised ?
The above screenshot was obtained by a researcher Rakesh Krishnan of the stolen data—which appears to include Tata Power employees’ personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, salary information, etc.
Additionally, the data dump contains engineering drawings, financial and banking records as well as client information, suggests Krishnan.
Hive operators claim that they encrypted Tata Power’s data on October 3rd.
On Friday, October 14th, Tata Power disclosed a cyber attack on its “IT infrastructure impacting some of its IT systems” in a stock filing without sharing additional information with regard to the whereabouts of the threat actor.
“The Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points,” stated Tata Power’s filing, signed by company secretary H.M. Mistry at the time.
Threat actors like extortion and ransomware groups typically begin leaking or selling data stolen from breaching their targets should the target refuse to pay their ransom demand and subsequent negotiations fail
Ransom Details
The above picture was obtained from Hive Leaks official site which has disclosed all the files on public channel. Negotiations were reportedly underway between Hive and Tata Power for 10 days to retrieve the data. However, the talks reportedly broke down following which Hive started dumping the data on the dark web late on Monday night, US time, (around 6.30 am IST on Tuesday). Ransom amount is unconfirmed yet but rumor has it around Million $ to be paid in BTC.
How Hive got in ?
It is not yet confirmed from officials of TATA but chances for social engineering attack is high, getting access of high privileged user credentials. As there is no vulnerability reported on servers which might have been exploited.
Tata Power’s Negligence in reporting the attack ?
It is unclear at this time whether Tata Power will be charged for failing to report the cyber attack within hours of its discovery. The Indian Computer Emergency Response Team (CERT-In) recommends that all enterprises be required to report any cyber incidents to CERT-In within six hours of becoming aware of the event.
CERT-In is a government-appointed nodal agency tasked with performing cybersecurity-related functions. The agency has laid out instructions concerning information security practices, procedures, cybersecurity incident prevention, response, and reporting.
Be First to Comment