Crime & Justice

Hackers feast on government sites

Troves of citizens’ data out in the open

With the general election around the corner, data leaks and cyberattacks have intensified alarmingly, with the latest being a suspected leak of five crore citizens' data from the Office of the Registrar General, Birth & Death Registration (BDRIS).

The exposed data was first found out on June 27 by Viktor Markopoulos, a researcher from Bitcrack Cyber Security, a computer security solutions firm based in South Africa.

While the government's Computer Incident Response Team (BGD e-GOV CIRT) confirmed the data breach, it is currently verifying the extent of it.

The data leaked from BDRIS includes birth dates and national identification numbers -- two key information with which anybody can use publicly available online government tools to extract other personal details like names, addresses and more.

The authorities have not yet been able to identify the perpetrators.

This, however, is only the latest in the spate of such assaults in the past few months. Some of these are "Distributed Denial-of-Service (DDoS)" attacks -- a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.

Other attacks -- such as the BDRIS leak -- are more threatening, as sensitive, private data and government information are being exposed to the public.

At the moment, Bangladesh Krishi Bank's server is under attack by a ransomware that has encrypted the core banking system.

Mohammad Saiful Alam Khan, project director of BGD e-GOV CIRT, said, "Our team visited the bank. We are assessing the damage and whether the data can be recovered."

Earlier in March, hackers demanded $5 million in ransom from Biman Bangladesh while holding 100 gigabytes of data hostage. As the government was unable to retrieve the data in time, a vast amount of financial, human resource, training and satellite communications information was leaked.

Within secure messaging channels, a cyber war, fueled by nationalist and religious-extremist sentiments, has been active between hacking groups in India and Bangladesh.

This newspaper has observed that the major targets for both groups include law enforcement and government agencies along with security forces.

On March 15, a group called New World Hacktivists leaked 84 police login credentials, with 40 of them belonging to just officers-in-charge of different police stations across Dhaka.

Just two days later, another hacking group called the Indian Cyber Force leaked information of about 2.7 lakh Bangladeshi citizens from the Cox's Bazar police's server.

The Daily Star inspected the leak and found data about those potentially flying in and out of the district.

On March 28, the Khulna Metropolitan Police was attacked by Indian hackers, who leaked what they claimed to be the database credentials of their server.

The same day, another group of hackers released what they claimed to be credentials of mail servers of Sustainable and Renewable Energy Development Authority.

Then on June 20, hackers claimed to possess the data of one lakh people from the Investment Corporation of Bangladesh's database. They claimed to have gotten 9,000 pages of information, including names, addresses and bank account numbers.

The Daily Star, however, could not get access to the data and independently verify the claim.

On July 3, some hackers captured the Bangladesh Railway online ticket portal in a DDoS attack but no data was reportedly lost.

Such DDoS attacks were leveled against the Bangladesh army and air force websites in recent times, with the former being attacked twice. While no data was reportedly lost, the sites were down for a considerable amount of time. 

There was also a concerted effort by Indian hackers to deface educational institute websites with such low-level attacks towards the end of June -- Varendra University being one of the victims.

In their bid to attack educational institutes, they leaked all employee data of a school in Dhaka and the user information of a job-recruiting site.

 On June 27, they, however, executed a large data leak when they attacked a third-party educational management system called "Schoobee", operated by Leotech. The system provides essential services, including attendance monitoring, student information and more, for its client institutes.

 Three days prior, they leaked a small amount of employee data of the National Institute of Cardiovascular Diseases Hospital.

The BGD e-GOV CIRT project director said, "I don't know why there has been a spike in such attacks, but that is what we are observing."

While there has been a flurry of activities, the threats lay bare, shows an online service called LeakIX, which indexes security loopholes and open ports in websites and servers across the world.

 A search for Bangladesh reveals over 7,000 results, which include major government portals such as the Prime Minister's Office, Bangladesh University of Engineering and Technology, Rajshahi University of Engineering and Technology, Bangladesh Data Centre Company, newspaper websites and a host of internet service providers.

 The situation had become such that on June 27, the CIRT issued a notice urging the government, military, and financial institutions to remain vigilant and take necessary security measures against potential cyber attacks. It specifically mentioned that various sectors, including government and military entities, critical information infrastructures, law enforcement agencies, banks and NBFIs, pharmaceuticals, retail and industrial organisations, and energy and education sectors could be targeted.

However, such notices often fall onto deaf ears.

Just two days before Biman was attacked by a ransomware, the CIRT had sent a notice on March 14 to let the organisation know it had noticed malware activities at an open back-door in the server. They had been notified of such activities even back in 2022.

 The authorities concerned ignored the notice to the point of denying that hackers could hold their data hostage for ransom.

"No data has been stolen," Biman's managing director Shafiul Azim had told this newspaper back in March.

(The Daily Star's Shahriar Rahman and Zarif Faiaz also contributed to this report.)

Comments

Hackers feast on government sites

Troves of citizens’ data out in the open

With the general election around the corner, data leaks and cyberattacks have intensified alarmingly, with the latest being a suspected leak of five crore citizens' data from the Office of the Registrar General, Birth & Death Registration (BDRIS).

The exposed data was first found out on June 27 by Viktor Markopoulos, a researcher from Bitcrack Cyber Security, a computer security solutions firm based in South Africa.

While the government's Computer Incident Response Team (BGD e-GOV CIRT) confirmed the data breach, it is currently verifying the extent of it.

The data leaked from BDRIS includes birth dates and national identification numbers -- two key information with which anybody can use publicly available online government tools to extract other personal details like names, addresses and more.

The authorities have not yet been able to identify the perpetrators.

This, however, is only the latest in the spate of such assaults in the past few months. Some of these are "Distributed Denial-of-Service (DDoS)" attacks -- a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.

Other attacks -- such as the BDRIS leak -- are more threatening, as sensitive, private data and government information are being exposed to the public.

At the moment, Bangladesh Krishi Bank's server is under attack by a ransomware that has encrypted the core banking system.

Mohammad Saiful Alam Khan, project director of BGD e-GOV CIRT, said, "Our team visited the bank. We are assessing the damage and whether the data can be recovered."

Earlier in March, hackers demanded $5 million in ransom from Biman Bangladesh while holding 100 gigabytes of data hostage. As the government was unable to retrieve the data in time, a vast amount of financial, human resource, training and satellite communications information was leaked.

Within secure messaging channels, a cyber war, fueled by nationalist and religious-extremist sentiments, has been active between hacking groups in India and Bangladesh.

This newspaper has observed that the major targets for both groups include law enforcement and government agencies along with security forces.

On March 15, a group called New World Hacktivists leaked 84 police login credentials, with 40 of them belonging to just officers-in-charge of different police stations across Dhaka.

Just two days later, another hacking group called the Indian Cyber Force leaked information of about 2.7 lakh Bangladeshi citizens from the Cox's Bazar police's server.

The Daily Star inspected the leak and found data about those potentially flying in and out of the district.

On March 28, the Khulna Metropolitan Police was attacked by Indian hackers, who leaked what they claimed to be the database credentials of their server.

The same day, another group of hackers released what they claimed to be credentials of mail servers of Sustainable and Renewable Energy Development Authority.

Then on June 20, hackers claimed to possess the data of one lakh people from the Investment Corporation of Bangladesh's database. They claimed to have gotten 9,000 pages of information, including names, addresses and bank account numbers.

The Daily Star, however, could not get access to the data and independently verify the claim.

On July 3, some hackers captured the Bangladesh Railway online ticket portal in a DDoS attack but no data was reportedly lost.

Such DDoS attacks were leveled against the Bangladesh army and air force websites in recent times, with the former being attacked twice. While no data was reportedly lost, the sites were down for a considerable amount of time. 

There was also a concerted effort by Indian hackers to deface educational institute websites with such low-level attacks towards the end of June -- Varendra University being one of the victims.

In their bid to attack educational institutes, they leaked all employee data of a school in Dhaka and the user information of a job-recruiting site.

 On June 27, they, however, executed a large data leak when they attacked a third-party educational management system called "Schoobee", operated by Leotech. The system provides essential services, including attendance monitoring, student information and more, for its client institutes.

 Three days prior, they leaked a small amount of employee data of the National Institute of Cardiovascular Diseases Hospital.

The BGD e-GOV CIRT project director said, "I don't know why there has been a spike in such attacks, but that is what we are observing."

While there has been a flurry of activities, the threats lay bare, shows an online service called LeakIX, which indexes security loopholes and open ports in websites and servers across the world.

 A search for Bangladesh reveals over 7,000 results, which include major government portals such as the Prime Minister's Office, Bangladesh University of Engineering and Technology, Rajshahi University of Engineering and Technology, Bangladesh Data Centre Company, newspaper websites and a host of internet service providers.

 The situation had become such that on June 27, the CIRT issued a notice urging the government, military, and financial institutions to remain vigilant and take necessary security measures against potential cyber attacks. It specifically mentioned that various sectors, including government and military entities, critical information infrastructures, law enforcement agencies, banks and NBFIs, pharmaceuticals, retail and industrial organisations, and energy and education sectors could be targeted.

However, such notices often fall onto deaf ears.

Just two days before Biman was attacked by a ransomware, the CIRT had sent a notice on March 14 to let the organisation know it had noticed malware activities at an open back-door in the server. They had been notified of such activities even back in 2022.

 The authorities concerned ignored the notice to the point of denying that hackers could hold their data hostage for ransom.

"No data has been stolen," Biman's managing director Shafiul Azim had told this newspaper back in March.

(The Daily Star's Shahriar Rahman and Zarif Faiaz also contributed to this report.)

Comments