CoWIN Data Breach Threat Actor Called Hak4learn, Shared Hacking Tips: Reveals Report
On Monday, CloudSEK a predictive threat analytical company revealed that its AI digital risk platform XVigil discovered a threat actor advertising a Telegram bot that offered personally identifiable information (PII) data of Indian citizens who had allegedly registered vaccines from the Cowin Portal.
The company said that the Covid data bot was offered by a channel called hak4learn, which frequently shared hacking tutorials, resources, and bots for individuals to access and buy. Initially, the bot was available for everyone to use, but it was later upgraded to be exclusive to subscribers.
"The upgraded version of the bot provided PII data, including Aadhar card numbers, Pan card, Voter ID, gender, and the name of the vaccination center, based on the inputted phone number. The real source of the Telegram bot is unknown, it is important to note that the bot had Version 1 offered that only displayed personal information based on Phone number. While the Version 2 claimed to be a Truecaller bot that also contained personal information of the individuals," the company said in an analysis.
The company also said that the bot is currently down and might come up later as mentioned by the admin of the channel.
The CloudSEK analysis of the threat actor revealed that threat actors do not have access to the entire CoWIN portal nor the backend database. "Based on matching fields from Telegram data and previously reported incidents affecting the Healthworker of a region, we assume the information was scraped through these compromised credentials. The claims need to be verified individually," the company said.
The company further said, "On March 13, 2022, a threat actor on a Russian cybercrime forum advertised for compromised access on the CoWIN Portal of Tamil Nadu region and claimed to have compromised the CoWIN database. Upon analysis, we discovered the breach was that of a health worker and not really on the infrastructure."
CloudSEK's report said that the content displayed on the screenshot matches with the Telegram bot mentioned in the media which includes the name of the individual, mobile number, identity proof, identification number and number of doses completed.
Furthermore, the company said that there are numerous healthcare worker credentials accessible on the dark web for the CoWIN portal. "However, this issue primarily stems from the inadequate endpoint security measures implemented for healthcare workers, rather than any inherent weaknesses in Cowin's infrastructure security," CloudSEK stated.
