- Category: Compromised Access
- Region: India
- A Russian Threat actor group targeted the Indian Health ministry’s Health management system.
- The group mentioned the attack as a consequence of India’s agreement over the Oil Price cap and sanctions of G-20 over the Russia-Ukraine war.
- Access to HMIS Portal, Hospital, employee and Physicians data.
- Plausibility of further cyber attacks by such hacktivist groups under the pretext of India’s Geopolitical stances.
- Selling exfiltrated license documents and PII on cybercrime forums.
- Conducting document fraud using PII and license documents.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers
- Use load balancer and DDoS protection services.
- Blocking unnecessary IP addresses and geolocations.
- Regularly updating and patching vulnerabilities can reduce the chances of a website being attacked.
Analysis and Attribution
Information from the Post
- On 15 March 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group claiming to have targeted an Indian government website.
- An analysis of the samples shared concluded that the affected entity is the Health Management Information system belonging to the Indian Ministry of Health.
- The threat actor group mentioned in the post claiming to have access to
- All the Hospitals of India
- Employees and Chief Physicians
Information from channel
- The motive behind this target was the sanctions imposed against the Russian Federation where Indian authorities decided not to violate the sanctions as well as comply with the price ceiling for Russian oil approved by G7 countries..
- This decision resulted in multiple polls on the telegram channel of the Russian Hacktivist Phoenix asking the followers for their votes.
Tactics, Techniques and Procedures [TTPs]
- The Hacktivist group Phoenix was observed using social engineering techniques to lure the victims in a phishing scam thereafter stealing the passwords and gaining access to its victims’ bank or e-payment accounts.
- The Group has conducted a series of DDoS attacks against multiple entities in the past.
- Phoenix has also engaged in hardware hacking, unlocking lost or stolen iPhones and reselling them in Kyiv and Kharkiv through a network of controlled outlets.
Threat Actor Activity and Rating
Threat Actor Profiling
- Active since: January 2022
- Reputation: Moderate
- Current Status: Active
- History: The Russian Hactivist group has shown a history of targeting the following entities:
- Hospitals based in Japan and the United Kingdom.
- U.S. based healthcare organization serving the US military
- DDoS attacks against LGBTQ dating websites and community forums based in Russia
- The Ministry of Health, the Federal Public Procurement Regulatory Authority, the Ministry of Food Control, the Supreme Court, the Ministry of Home Affairs, and a number of other departments of Pakistan
- DDoS attack on the website of the Spanish Foreign Ministry
- Rating: C3 [C: Fairly reliable; 3: Possibly true]
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia