In February of 2021 Sakura Samurai disclosed our Indian Government breach. We didn’t release sensitive information because issues weren’t patched. This is blog post about information on it.
After the United Nations breach we were looking for new targets. This process usually involves finding a VDP or Bug Bounty program for something that seems like fun. Outside of these, software is not off limits, especially if it’s you testing something on your own assets.
Hacking governments is fun, and we are an ethical hacking (white hat) group, so a VDP program was identified by Kanshi and an initial list of assets was provided to check out.
We have a few things going at times, we are multi-taskers. A couple days went by after I got the list and after eating Indian food (my favorite cuisine) I got really bad indigestion. While on the couch trying to fight off acid reflux, I remembered that I had a list of India’s assets from the VDP, so I picked up my laptop and told my wife that I was going to get revenge on India for my indigestion.
At first I was pretty surprised at how I quickly was able to breach sensitive records. I notified the crew and Kanshi jumped in and said that he was finding things also with his friend Zultan. Initial findings were shared with the crew.
This is when Sakura Samurai formed together like a power rangers droid (or Voltron for the OGs) to dig deep into current findings and untested assets.
With the crew (Me, Kanshi, John, Kirtaner) on the job, India’s government assets were ripped apart, and although specifics can’t be disclosed due to the current fixes being implemented, it ended with the following (taken from my bro John’s blog):
- 35 Separate Instances of Exposed Credential Pairs (Servers, Important Applications, etc.)
- 3 Instances of Sensitive File Disclosure
- 5 Exposed private-key pairs for servers
- 13K+ PII Records [and those are only the records that we were inadvertently exposed to]
- Dozens of Exposed Sensitive Police Reports
- Session Hijacking Chained via Multiple Vulnerabilities, resulting in the compromise of extremely sensitive government systems
- Remote Code Execution on a sensitive financial server; a server that contained large backups of Financial Records
So, there were major issues, and trust me, much more than 13k PII records are exposed, we just stopped because, well, the assets are swiss cheese and our findings would literally never end.
At this point we got in touch with the Indian governments point of contact to let them know about our findings, and it was radio silence. It was shocking. We kept on trying, and then we had a contact reach out to the United States DoD VDP (DC3 VDP) and things got wild when they couldn’t get in touch with India to let them know that their government assets were swiss cheese. This ended up creating a now (in my mind at least) legendary tweet from the US government to the Indian government. We’re making history here at Sakura Samurai.
The DoD opened up the conversation and had our back, and then the Indian government got back to us, before….radio silence.
Checking on the assets, nothing was fixed. It blew my mind. It needed to be escalated to protect Indian citizens. That’s when the decision to make the breach public happened, without releasing any specific details for recreation.
It was the right choice, as the right Indian parties got involved (and I can’t say anything more than that.)
For much more detailed information, check out John’s blog:
Here are some media stories on the Indian Breach: