Cyber security solutions company Seqrite, along with its partner seQtree detected and notified the Indian government about a possible breach of India’s National Internet Registry – IRINN (Indian Registry for Internet Names and Numbers), the company informed via a blog post. Apparently, the hacker(s) had advertised “access to the servers and database dump of an unspecified Internet Registry” on a Darknet platform, which Seqrite and seQtree identified as IRINN.

IRINN “provides allocation and registration services of Internet Protocol addresses (IPv4 & IPv6) and Autonomous System numbers,” according to its official website. It is part of NIXI (National Internet Exchange of India), which “is the neutral meeting point of the ISPs in India with the primary objective being the facilitation of exchange of domestic Internet traffic between peering ISP members.”

The sequence of events as described by Seqrite:

  • Upon noticing the broadcast advertisement, seQtree and Seqrite teams started gathering background research on the actor but did not yield any concrete information.
  • But the team didn’t get any relevant data even after conducting deep research and it appeared that this actor’s persona was created recently. This is an ongoing trend that the team has noticed with recent data breaches.
  • The team then contacted the actor for further details, posing as an interested buyer. Initially the actor was not willing to disclose the name of affected Internet Registry, however, later he agreed to share a small sample of email list from the allegedly compromised database.
  • In the sample, the team noticed email address of a prominent Indian technology firm and another email address was from Indian government. Then the team asked for complete/extensive emails list.
  • Eventually, the actor agreed to share a text file containing the emails of users/organizations affected, allegedly from the compromised database(s). The text file contained a list of approx. 6000 emails.
  • It was observed some of the most important and high-profile organizations featured in the list. At this point, the team first thought the possibility of the affected organization being India’s National Internet Registry: IRINN (Indian Registry for Internet Names and Numbers) which comes under NIXI.
  • To confirm our suspicion, we probed the actor further. The actor agreed to share screenshots which confirmed our suspicion that the compromise/breach is, unfortunately true and IRINN is the affected organization.
  • The actor also hinted on the chat that if he doesn’t find any interested buyer, actor will consider posting this on Darknet forum(s)/marketplace(s).
  • If he gets an interested buyer, then attack on the system could have disrupted Internet IP allocation and in-turn the complete Internet in India.

The data put up for sale includes that of several government organisations, telecom companies, multiple financial institutions and technology companies such as Unique Identification Authority of India (UIDAI), Defence Research and Development Organisation (DRDO), Reserve Bank of India (RBI), Idea Telecom, Aircel, Bharat Sanchar Nigam Limited (BSNL), Bombay Stock Exchange (BSE), Mastercard/Visa, State Bank of India (SBI), Flipkart, Ernst & Young (E&Y), and Wipro among many others. You can check out the entire list of organisations, as well as screenshots of the data shared by the hacker(s) here.

The advertisement on the Darknet forum posted by the hacker(s) reads:

“As mentioned in the title, selling database of one of the biggest Internet Protocol controller.

In client Database you can get username, email ids, passwords, organisation name, invoices/billing documents, and few more important fields. You can also control IP range of respective organisation. You can entirely shut down that organisation.

Selling it for 15 BTC.”

15 Bitcoins at the current exchange rate comes up to over $64,000 or Rs 41.8 lakh.

Apparently, the appropriate government agencies have been informed, and they acknowledged it and taken care of the matter. However, the same hasn’t yet been acknowledged publicly.