“Nothing has gone missing from the Federal Bank’s servers. We are two hundred per cent secure,” CEO Souvik Roy told MediaNama, in response to a query about a dark web threat claiming that over a terabyte of data had been stolen from the Federal Bank and its NBFC Fedfina’s servers.
However, he acknowledged that the subsidiary Fedbank Financial Services (Fedfina) was aware of the alleged data breach. “We have been aware of the threat for a while now. We have informed the relevant authorities. A forensic investigation is ongoing at Fedfina,” he added. MediaNama reached out to Fedfina and its CEO for comment but have not heard back at the time for publication.
The threat, posted on the dark web on July 18, was addressed to “Federal Bank/Fedfina”. It claimed that the Everest Ransom Group had breached Fedfina’s servers and accessed 1,130 GB of confidential information. The message was widely circulated by cyber experts through social media.
MediaNama has also reached out to the Indian Computer Emergency Response Team (CERT-In) for details on the breach but has not heard from the agency at the time of publication.
Why does it matter? A cybersecurity incident of this magnitude involves the personal data of thousands of people, not to mention other sensitive business information. A threat like this, allegedly from a foreign actor, needs to be investigated by the government. Other banks and financial companies should look toward strengthening their internal security measures.
What are the threat group’s claims? MediaNama accessed a link to a dark web forum where the Everest Ransom Team warns that the companies have 48 hours to contact them or they will publish 1,130 GB of internal data and delete the decryption key.
Screengrabs from the Everest Ransom Group’s dark web forum
“The data includes financial documents (loans, budgets, etc.), internal correspondence, KYC data, personal data and documents of employees, clients’ personal data and documents including balances and debts, and documents of management and directors,” the threat message claims. There is a file tree attached that contains the names of all of the files that were stolen during the attack.
Along with the messages the group has also posted what appear to be scans of the Aadhaar cards, PAN cards and passports of the entire board of directors at Fedfina, though certain sections were redacted. The group has also published other documents which they claim are excerpts from actual documents. These allegedly include KYC processing information of customers along with phone numbers and addresses of shareholders among other sensitive business information. Some of these documents are at least a year old.
Also note that despite addressing “Federal Bank/Fedfina” in the header, the group has only uploaded what appears to be Fedfina’s data.
The threat actors claim they had carried out reconnaissance on the company’s servers for around six months without alerting FebBank Finance’s security partners Sify Technologies.
What is Everest? Previously known as Everbe, the Everest Ransom Group was launched in 2018. According to an analysis by security company NCC Group, it is a Russian-speaking group that is pushing new boundaries in double-extortion by not only threatening to leak files but also by providing their customers with access to victims’ IT infrastructure. Instead of pursuing a ransom, the group sells third-party access to the target’s network, creating a new way to monetize a compromised target.
“If it proves lucrative, this could become a trend next year,” the NCC Group warns.
In the past couple of years, the Everest group has targeted the likes of Lamborghini, Ferrari, Pontal Engineering and other multi-national organisations. However, going by the group’s claims, none of these hacks has made off with as much data as they claim to have stolen from FedFina.
How can you be compromised? Your workplace can be compromised if just one of the accounts on its internal servers gets compromised. The easiest way to hack an organisation is via sending malware to employees hidden in innocuous-looking emails. Similar malicious messages may also appear in social media inboxes. This kind of attack is known as phishing.
You may also be compromised by downloading a corrupt application on your work computer. Cybersecurity incidents may go unnoticed for months even with 24-7 security cover. By the time people notice, it may already be too late.
Once a threat actor is inside a company’s systems, it can use malware to trigger a denial of service and hold the company to ransom (known as a ransomware attack). Ransomware and human exploitation were the two biggest threats to cybersecurity across the globe in 2021-22, a report by Verizon Cybersecurity has found.
What are the government rules regarding cybersecurity incidents? Earlier in April CERT-In, issued new cybersecurity directions which stated that all entities must mandatorily report cyber incidents within six hours of noticing such incidents. Entities must follow the methods and formats of reporting published on the CERT-In website. The previous rules didn’t prescribe any time frame and only mentioned that entities must report incidents “as early as possible.”
These rules come at a time when India is noticing a marked increase in the number of cybersecurity incidents. Ransomware attacks, particularly, were observed to be on the rise. In 2021, India recorded 132 such attacks, it was 54 in 2020.