Website of Indian Consulate General in NY Apparently HackedSame Attacker Who Claims Involvement in Earlier Embassy Attacks Takes Credit
A week after attackers leaked data from the apparent hacking of websites of seven Indian embassies, the website of the consulate general of India in New York was apparently compromised by one of the attackers involved in the earlier breach.
An individual claiming to be the hacker going by the handle of Kapustkiy reached out to Information Security Media Group on Twitter on Nov. 13 claiming to have breached the website for the consulate general of India in New York. The attacker claims, however, that he has only exposed a small amount of personal data - purportedly of the embassy staff - as proof of the breach. The data has been posted online on Pastebin.
The attacker claims he breached the website because he wanted to draw attention to its vulnerabilities and get authorities to fix them, asserting that Indian officials ignored his warnings.
The hacker - who says he is a European male teenage security researcher - claims that he again used a SQL injection attack for his latest breach, as he did in the earlier intrusions. The consulate website was down a portion of the day Nov. 14 but was back online near the end of the day India time.
Claims of the website being vulnerable to SQL injection attacks have been verified independently to ISMG by several security researchers. But ISMG was unable to verify the authenticity of the leaked data.
India's Ministry of External Affairs has not responded to ISMG's request to comment on the series of apparent breaches.
Data Leaked Selectively
The individual identifying himself as Kapustkiy claims that while he had access to a database of more than 7,000 individuals at the New York consulate, he chose not to expose all their personal information and only posted data from a table that contained limited information.
The data posted on Pastebin contains 418 entries listing first name, last name, email and contact numbers. In his Pastebin post, the hacker writes: "There was also a table named ''Newyork_contact'' which had 7000 entries. I didn't leak that out of privacy of people. ... the table ... had also information like Address, City, Zipcode, phone number.''
After the earlier series of breaches at Indian embassy websites, the security on these sites improved, and vulnerabilities were fixed, he claims. "They don't care about it when I report (directly). Only media attention will make them look into it."
Dinesh Bareja, COO at OpenSecurity Alliance, notes: "More than half of embassy domains are on shared hosting, and there is no structured manner of ownership." Bareja is also the founder of IndiaWatch, which has been researching the information security posture of Indian embassy websites since 2013 through right-to-information requests. "Most embassy websites are being managed by contractors, and security does not seem to be a priority," Bareja says.
On Nov. 6, seven of India's embassies were apparently hacked and some data pertaining to Indian citizens leaked online by attackers, who said they wanted to call attention to the sites' vulnerabilities (7 Indian Embassy Websites Apparently Breached).
The websites of Indian embassies in South Africa, Malawi, Switzerland, Libya, Mali, Romania and Italy apparently were breached by hackers going by the handles of Kapustkiy and Kasimierz, and data was then posted on Pastebin. The data was later removed, but a cached version could be found on Google. Personal data on Indian citizens living abroad that was breached included names, home addresses, email, passport numbers and phone numbers.
After the website hacking incidents were covered by the news media on Nov. 7, MEA spokesperson Vikas Swarup was quoted in news reports saying that the MEA was aware of the problem and it was being fixed. Kapustkiy later confirmed on his Twitter account that the issues had largely been addressed.
A look at Kapustkiy's Twitter timeline shows that he has also been claiming responsibility for hacking various embassies and universities around the world.
The attacker says the Indian websites' approaches to security were clearly inadequate because they were vulnerable to simple "SQL injection" attacks.
And it's concerning that even after the first round of attacks, the Indian consulate in New York remained vulnerable, says an Indian security practitioner, who requested not to be named. The failures to fix vulnerabilities at the various sites show a lack of security maturity on the part of the website operators and the organisation - in this case, the MEA, he contends.
There needs to be a better reporting mechanism for responding appropriately and in a timely fashion when such information is shared, rather than relying on communiques on critical threat information that get mired in bureaucracy, or worse, ignored, he says.