Category: Adversary Intelligence
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a Telegram bot that offered personally identifiable information (PII) data of Indian citizens who had allegedly registered vaccines from the Cowin Portal.
- Note: CloudSEK Analysis concludes that threat actors do not have access to the entire Cowin portal nor the backend database. Based on matching fields from Telegram data and previously reported incidents affecting Healthworker of a region, we assume the information was scraped through these compromised credentials. The claims need to be verified individually.
- On March 13, 2022, a threat actor on a Russian cybercrime forum advertised for compromised access on the Cowin Portal of Tamil Nadu region and claimed to have compromised the Cowin database. Upon analysis, we discovered the breach was that of a health worker and not really on the infrastructure. The content displayed on the screenshot matches with the Telegram bot mentioned in the media as follows:
- Name of individual
- Mobile Number
- Identity Proof
- Identification Number
- Number of Dose completed.
Furthermore, there are numerous healthcare worker credentials accessible on the dark web for the Cowin portal. However, this issue primarily stems from the inadequate endpoint security measures implemented for healthcare workers, rather than any inherent weaknesses in Cowin's infrastructure security.
Exclusive Humint Analysis revealed the data belonging to the Tamil Nadu region and the actor claimed access to this single region’s center at that moment.
Analysis and Attribution
Information from the Telegram Channel
- The Covid data bot was offered by a channel called hak4learn, which frequently shared hacking tutorials, resources, and bots for individuals to access and buy. Initially, the bot was available for everyone to use, but it was later upgraded to be exclusive to subscribers.
- The upgraded version of the bot provided PII data, including Aadhar card numbers, Pan card, Voter ID, gender, and the name of the vaccination center, based on the inputted phone number.
- The real source of the Telegram bot is unknown, it is important to note that the bot had Version 1 offered that only displayed personal information based on Phone number. While the Version 2 claimed to be Truecaller bot that also contained personal information of the individuals.
- The bot is currently down and might come up later as mentioned by the admin of the channel.
- The channel, established on December 11, 2021, provides a variety of Telegram bots, such as a Truecaller bot for retrieving location information based on phone numbers, an OTP bot, a UPI Recon bot, a Phishing page bot, and many others.
- The advertised post contains screenshots of the admin portal revealing the PII of people who have registered for COVID-19 vaccination drives.
Threat Actor Activity and Rating
Based on an Instagram post made in 2022, an account likely associated with the threat actor offered various scripts exploiting UPI payment gateways such as SBI, PayTM, Google Pay etc.