Cyber Incident Victim: Mercantile Communications Pvt Ltd
Date:
Apr 2020
Location:
Nepal
Summary
A group of hackers exploited personal customer data from Foodmandu, Vianet Communications, and Prabhu Remit to gain unauthorized access to the .np domain managed by Mercantile Communications Pvt Ltd. The attackers, operating under the Twitter handle 'Satan,' identified a security flaw in the domain infrastructure and claimed control of the server, though Mercantile stated most compromised data was publicly accessible via 'whois' queries and suspended new registrations as a precaution. Concurrently, the hackers threatened to infiltrate systems of multiple government and private entities, including Nepal Electricity Authority, Daraz Nepal, and Kantipur Publication, prompting heightened security measures. Nepal's Cyber Bureau is actively investigating the breach while experts emphasize insufficient safeguards in the country's ICT infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 14-15, 2020, a hacker group gained unauthorized access to the .np domain infrastructure managed by Mercantile Communications Pvt Ltd, Nepal’s sole .np domain provider for 25 years. The attackers exploited previously compromised personal customer data from Foodmandu, Vianet Communications, and Prabhu Remit—entities recently targeted in separate breaches—to infiltrate Mercantile’s systems. The group, operating under the Twitter handle ‘Satan,’ publicly disclosed a security flaw in the .np domain prior to claiming responsibility for the attack. Mercantile confirmed the breach on April 15, stating the hackers accessed their domain server on the night of April 13-14 but emphasized that compromised data primarily consisted of public 'whois' query information. The company suspended new .np domain registrations as a precautionary measure while maintaining that other domain services remained unaffected. Nepal Police’s Cyber Bureau, led by Senior Superintendent Nabinda Aryal, initiated investigations to trace the perpetrators, expressing confidence in identifying and prosecuting them.
The hackers subsequently issued threats to infiltrate multiple Nepalese government and private entities, including Nepal Electricity Authority (NEA), Daraz Nepal, Kantipur Publication, Nepal National Museum, district agriculture offices, and the National Nepal Library. NEA spokesperson Prabal Adhikari confirmed receiving threats targeting their electricity bill payment system, load dispatch center, and revenue system on April 14-15, prompting immediate coordination with IT staff and international vendors to bolster defenses. Adhikari clarified that unrelated power outages during this period resulted from thunderstorms, not cyber sabotage. ICT expert Manohar Bhattarai cited systemic underinvestment in cybersecurity infrastructure despite Nepal’s growing reliance on digital systems, urging stakeholders to treat the warnings seriously. Mercantile, managing 83,000 registered domains, committed to monitoring the situation and updating customers on significant developments while maintaining existing domain services during the investigation.