Mumbai cyber police, which is investigating the ransomware attack on Maharashtra Industrial Development Corporation (MIDC) servers in March this year, has traced the origin of the attack to Bulgaria and approached the east European country for obtaining details of the suspects involved in the attack.
Initially, cyber police suspected involvement of cyber criminals from Russia-Kazakhstan region, but the probe has indicated involvement of cyber criminals from Bulgaria. Following this, official channels have been activated to seek help from concerned foreign authorities to nab the culprits, confirmed a senior IPS officer from Mumbai Police.
Cyber expert Prashant Mali said, “East European countries like Bulgaria and Romania have many hacker gangs and there are several layers of members from different countries who feed on ransom money earned by targeting sleepy organisations with less or bad cyber security controls. They majorly deal in Bitcoins for ransom.”
On March 21 at 2.30am, a ransomware, SYNack, attacked the MIDC system. The attack was on the local server system to take unauthorised access of the computer system of MIDC and encrypted data. Because of this, MIDC personnel could not use the system data for over a week. This also damaged computers at the corporation’s 16 regional offices. The email sent by the attackers explained the kind of attack and their demand for ransom, the police said.
Ten days later, MIDC filed an official complaint with the cyber police on April 1. It is being alleged that the hackers had demanded ₹500 crore ransom, however, neither the police nor MIDC officials confirmed the amount. “The first information report (FIR) too did not mention the ₹500-crore ransom amount,” a senior police officer said.
After the attack, all computers were disconnected from the server. The corporation also asked all its departments to shut the system and not to switch on computers until issues were resolved completely. This had caused disruption of services across the state.
Earlier, MIDC claimed that all their systems were hosted on ESDS (cloud service provider) and local server of the corporation and for security and maintenance purpose, the corporation was using a well-known anti-virus. It claimed that as backup files of its website, single-window clearance system, building plan approval management system (BPAMS), ERP (enterprise resource planning), computerised land distribution system, water bills, etc. are stored on different networks, they are all safe. Later, the services were restored.
A team of cyber police officers had visited the MIDC office, made enquiries with technical staff there to understand the nature of attack.
MIDC CEO P Anbalagan said, “Our system is well on track with no loss of data. We are going to build further security features.”
Earlier, an attempted cyber sabotage allegedly by a Chinese state-sponsored cyber threat group had caused massive power outage in Mumbai last October. Then home minister Anil Deshmukh had said that the Maharashtra cyber police had found evidence which suggested that the grid failure in Mumbai on October 12 last year, which resulted in the city plunging into darkness, disrupting train services and shutting down the stock market, was likely a cyber sabotage.
The New York Times, citing a report by a US-based cyber security firm, had claimed the Chinese-state sponsored groups had targeted power sector in India with malware. This came months after the clash between troops of the two nations in Galwan valley in June 2020.
In 2013, two Bulgarian nationals — Tsenev Yulian Georgiev and Ivanov Kalin Ivanoy — allegedly fitted ATM machines with skimming devices at an Axis bank ATM kiosk outside DGP’s office in Colaba to steal data of debit cards. The duo had cloned ATM cards using the stolen data and later withdrew the money in Greece from bank accounts of 79 citizens of Mumbai to the tune of ₹22,88,229.
Police probe revealed that the two were part of a huge international fraud syndicate as the withdrawal of money using the cloned cards were done after more than a month’s time, leaving no time for investigators to get on the trail of the accused. Of the 79 victims in the Colaba case, 15 were the policemen.