Indian Rail Coach Factory PII and Credentials Shared From Past Data Breaches

Summary

CloudSEK team identified a post on a cybercrime forum where a threat actor posted the database of Rail Coach Factory, Kapurthala, India for free.
 
Category: Adversary Intelligence Industry: Government Motivation: Hacktivism Region: India Source*: B2

Executive Summary

THREAT IMPACT MITIGATION
  • Credentials and PII of users of Rail Coach Factory, Kapurthala, India were shared.
  • The data shared, though dated between 2008-2010, could still put users at risk.
  • Unencrypted sensitive data of the Rail Coach Factory is available for free.
  • The sensitive information poses a large-scale risk, leading to exposure of critical government infrastructure.
  • Details of personnel in every department could be misused for corruption in Tender Applications or similar operations.
  • Monitor user accounts for suspicious transactions.
  • Encrypt the data and credentials present in the databases and server.
  • Ensure user awareness about this data leak.
CloudSEK’s contextual AI digital risk platform XVigil has identified a post on a cybercrime forum where a threat actor has posted the database of Rail Coach Factory, Kapurthala, India for free.  

Analysis and Attribution

Information from the Post

  • On 14 June 2022, a threat actor published a post, on a cybercrime forum, sharing the old database of the Rail Coach Factory, Kapurthala, India for free.
  • The actor claims that the compromised database includes users’ PII along with plain text passwords and other database names and has been made available to all.
Threat actor’s post on cybercrime forum
Threat actor’s post on cybercrime forum
 
  • The actor shared the following information and databases:
PII Shared
  • User ID
  • User Type
  • Email Address
  • Password
  • User Name
  • Mobile Number
Databases Shared
  • Civil.mdb
  • Contacts.mdb
  • Critical_Item.mdb
  • deptcd.mdb
  • log.mdb
  • news.mdb
  • nonmovItems.mdb
  • Noticedb.mdb
  • pbranch.mdb
  • Rcftenders.mdb
  • sales.mdb
  • sms.mdb
  • Tenderform.mdb
  • TendFinal.mdb
  • users.mdb

The Threat Actor

  • Previous posts of the threat actor indicate that they have been actively engaging with the members on the forum by posting accesses and databases. Some of them are sold at a cost, while others are shared for free.
  • The threat actor is a hacktivist group, involved in gray hat hacking, and has thousands of followers and collaborators across the globe.
  • The group is a coalition of more than 3 organized groups that operate from Europe and America, and they had previously targeted a few Indian entities too.

Source Rating

  • The actor, who joined the new cybercrime forum in March 2022, has a high reputation on the forum and a decent number of members on the Telegram channel.
Hence,
  • The reliability of the actor can be rated Usually reliable (B).
  • The credibility of the advertisement can be rated as Probably true (2).
  • Giving overall source credibility of B2.

Impact & Mitigation

Impact Mitigation
  • This data leak is a massive risk, leading to the exposure of critical government infrastructure.
  • Unencrypted sensitive data of the Rail Coach factory is available on cybercrime forums for free which can be used for malicious purposes.
  • PII (Personally Identifiable Information) of the employees belonging to Rail Coach Factory can be used to conduct:
    • Social engineering attacks
    • Phishing attacks
    • Identity theft
  • Monitor user accounts for suspicious transactions, which could indicate possible account takeovers.
  • Encrypt the data and credentials present in the databases and server. Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Ensure user awareness about such data leaks.
  • Patch vulnerable and exploitable endpoints.
  • Real-time monitoring of cybercrime forums for data breaches.

References

Appendix

A sample of database posted by TA
A sample of database posted by TA
 
The leaked files
The leaked files
 

Table of Contents

Request an easy and customized demo for free