Cyber Incident Victim: Indian State Tax Office
Date:
Mar 2020
Location:
India
Summary
A hacker using the alias "Bassterlord" advertised administrative access to an Indian State Tax Office network on a Russian hacking forum, claiming control of four devices and possession of approximately 800 GB of state documents. The actor provided screenshots as evidence, including tax certificates issued by the Gujarat government, a PAN card with sensitive personal information, and network shared drives, suggesting potential lateral movement within the system. Analysis indicated the hacker likely gained entry through compromised Remote Desktop Protocol (RDP) credentials or exploits, leveraging administrative privileges. While the exact intent—selling data versus network access—remained unclear due to the data's volume, the actor had a verified history of selling legitimate RDP access to corporate systems without prior complaints. The exposed information included non-public details like phone numbers and emails linked to Gujarat residents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 26, 2020, a threat actor using the alias "Bassterlord" advertised administrative access to an Indian State Tax Office network on a Russian hacking forum. The post claimed control of four network devices and possession of 800 GB of state documents, with sales inquiries directed to Telegram and email. Supporting evidence included five screenshots depicting system details from the compromised environment. Analysis revealed three drives labeled "Local Disc (C)," "New Volume," and "AUDIT," with combined storage capacity of 810 GB and approximately 755 GB of stored data. Network shared systems were visible, alongside a Remote Desktop Connection interface with Russian-language text, indicating potential exploitation of RDP vulnerabilities, default credentials, or brute-force attacks. One screenshot displayed an "admin" desktop folder, suggesting privileged access. Additional images contained a Gujarat government-issued Provisional Registration Certificate for P N Goradia & Co., matching public business records, and a Permanent Account Number (PAN) card for Vishmit Enterprise. Verification showed the PAN became valid when the name was adjusted to "Vismit Enterprise," though sensitive contact information in other screenshots correlated with Gujarat-based phone numbers via Truecaller checks.
The threat actor had accumulated 14 positive reputation points on the forum with no user complaints, establishing operational credibility. Historical activity included selling corporate RDP access, such as a March 23, 2020, post offering enterprise network credentials. Forum members perceived the actor as trustworthy based on prior legitimate transactions. The tax office access listing was withdrawn after public exposure, though lateral movement across networked devices remained plausible based on shared drive visibility. While the advertisement’s ambiguity left unclear whether data or access was for sale, the 800 GB data claim aligned with cumulative drive capacities. Public availability of some documents like GST certificates reduced evidentiary value, but non-public details—including unredacted PAN data and internal contact lists—suggested unauthorized system infiltration. No official response or containment measures were documented in the source material following the forum disclosure.