It is unclear who is behind the breach but apparently it was done by anti-Indian government hacker.
Indian defense contactor Bharat Earth Movers Limited (BEML) has suffered a data breach that led to the leaking of sensitive internal documents on underground marketplaces on the Dark Web. The data, according to cybersecurity firm Cyble was leaked by a hacker going by the handle of R3dr0x,
However, the company later clarified that it was a false assumption and R3dr0x isn’t involved in the data leak. For your information, BEML is a Bengaluru-based public sector defense undertaking that manufactures equipment for the construction, cement, power, steel, rail, fertilizer, and irrigation sector.
The data leak occurred on May 25, 2020, and an unknown threat actor managed to access sensitive data files along with the login credentials of seven BEML employees. The files were downloaded from hacked email accounts of the employees after which the attacker leaked the email IDs and login credentials in a text file.
Once the attacker could log in to the employees’ email accounts, the old passwords were changed to terms like “FreeKashm!r” and “GoToHellBJP!!1,” which is why Cyble suspected that threat actor from a neighboring country or a government-sponsored hacktivist was involved.
It was speculated earlier that R3dr0x is the attacker who targeted the Indigenisation part of the BEML website and carried out the data leak. Part of the leaked data is several email conversations, interoffice memos, customers’ records, freight invoices of the company.
Now that Cyble has clarified that R3dr0x isn’t responsible for the data leak, the actual perpetrator of the crime is yet to be identified. However, Cyble researchers still believe that the incident is politically motivated.
“Based on the leak itself, it appears to be an act of a hacktivist or politically motivated. At this point, we have no technical evidence suggesting that the attack originated from a neighboring or non-friendly country; however, the circumstantial pieces (actor’s message, password combinations) suggests it to be likely the case” the company noted in its blog post.
This however is not the first time when sensitive Indian cyberinfrastructure has been hit by hackers. In August 2016, French naval contractor DCNS stated it may have been the victim of “economic warfare” after secrets about its Scorpene submarines being built in India were leaked.
In another incident, Google removed SmeshApp from Play Store for allegedly being used by Pakistani intelligence agency ISI to spy on the Indian military.