Websites of Indian Embassy in 7 Countries Hacked; Database Leaked Online
Indian embassy websites in seven different countries have been hacked, and attackers have leaked personal data, including full name, residential address, email address, passport number and phone number, of Indian citizens living abroad.
This incident is extremely worrying because it involves diplomatic personnel working in the embassies that have always been a favorite target of state-sponsored hackers launching cyber espionage campaigns.
Security pen-testers who go by the name Kapustkiy and Kasimierz have claimed responsibility for the hack and told The Hacker News that the reason behind the hack was to force administrators to consider the cyber security of their websites seriously.
In Pastebin link shared on their Twitter account, the hackers claimed to have hijacked Indian Embassy websites in Switzerland, Italy, Romania, Mali, South Africa, Libya, and Malawi and leaked personal details of hundreds of Indians, including students studying abroad.
The pair exploited a simple vulnerability in the targeted websites in an effort to gain unauthorized access to the databases.
The Hacker News team has analyzed those hacked sites and found they are vulnerable to SQL Injection vulnerability that allows an attacker to inject malicious SQL commands (payloads) to the web application and steal database containing sensitive information.
"We did it because their security was poor, and several domains related to the Indian Embassy had the same vulnerability. This proves that a lot of people can not trust the "Embassy." We hope that this problem will be fixed in the future." hackers told The Hacker News via email.
"We did not do it for the lulz or something, but we did just for them to pay attention to the issues with their crucial websites. Also, we did not leak anything like their real address, city or zip code, which is available in the database."
The leaked data shows that the targeted websites are so insecure that even user and admin passwords are also stored in plaintext without any hashing mechanism.
The initiative also includes vision to broaden digital infrastructure in the country with new technologies, but so far we have not seen any ground level initiative to tighten up the security of at least websites that represent various crucial government departments, agencies, services, and programs.
Not convinced yet? Let me put some stats to make my point clear.
A report from cyber security company FireEye found that 38% of organizations in India were exposed to targeted advanced persistent attacks in the first half of 2015, that's 23% increase from the previous report.
"India is fast becoming a strategic target, in part because of the potentially sensitive information that is expected to be digitized through ambitious and high-profile projects such as Digital India," the report stated.
Last year, an annual report from CERT-In noted that over 26,244 India websites were hacked, which includes hundreds of government websites.
Also, more than 35 Indian central and state government websites have recently been hacked by Pakistani hackers after India did surgical strikes across the Line of Control (LoC), Economic Times reports.
Another survey says that cyber crime incidences in India have drastically jumped in past year, with 72% companies in the country falling victim to online attacks.
So far we haven't completely tackled security of our websites and a stream of Internet of Things (IoT) cyber attacks have dramatically increased the threat landscape in past few months only, which should be addressed immediately.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://thehackernews.com/2016/11/indian-embassy-hacked.html
Congratulations @abhi1! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Award for the number of upvotes received
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP