Cyber Incident Victim: Worli-based Garment Firm
Date:
Sep 2023
Location:
India
Summary
A Worli-based garment firm experienced a cybersecurity incident involving unauthorized access to its systems by threat actors exploiting a vulnerability in its legacy payroll software. The breach resulted in the exfiltration of sensitive employee data, including personally identifiable information and financial records. Internal security teams detected anomalous network traffic patterns originating from external IP addresses linked to known malicious infrastructure. Forensic analysis indicated the attackers employed credential-stuffing techniques after compromising an administrative account with weak authentication protocols. The incident caused operational disruptions to internal HR processes and necessitated temporary isolation of affected systems. Law enforcement agencies and cybersecurity partners were engaged to investigate the intrusion and mitigate further risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 8-9, 2023, during India’s G20 Summit, the official websites of Delhi Police and Mumbai Police experienced service disruptions attributed to cyberattacks. The Delhi Police website initially went offline for approximately 10 minutes on September 8, displaying a “This service isn’t available” error message. Threat intelligence platform Falcon Feeds identified the Pakistan-based hacktivist group “Team Insane PK” as responsible, citing the group’s Telegram channel claims and posted screenshots. The same group targeted the Mumbai Police website on September 8, though the duration of that outage was unspecified. On September 9, the Delhi Police site suffered a second attack, remaining inaccessible for at least 30 minutes with a similar service disruption message. Team Insane PK, characterized by Falcon Feeds as a religiously motivated group active since February 2, 2023, employed distributed denial-of-service (DDoS) attacks to overwhelm the sites with traffic, causing temporary operational paralysis. Falcon Feeds noted the group’s history of targeting Indian cyberspace through DDoS and defacement attacks, with geopolitical tensions and political disagreements cited as motivating factors. The attacks coincided with Indonesian hacktivist groups like Hacktivist Indonesia Jambi Cyber Team initiating G20-related cyber campaigns, later joined by Pakistan-aligned actors.
Indian authorities implemented enhanced cybersecurity measures for the G20 Summit, including a government-mandated “zero-trust policy” requiring strict identity verification for network access. Administrative privileges were restricted, and external devices were banned from summit venues. CERT-IN deployed advanced monitoring tools to counter threats, while hotels hosting delegates were instructed to log all network activity, disable unused router interfaces, and secure switch ports. No official statements from Delhi Police regarding the breach methodology or data compromise were reported. Falcon Feeds warned that hacktivist groups aimed to disrupt services or expose data from government websites, reflecting broader patterns of cyber aggression linked to geopolitical events like the Russia-Ukraine conflict. The incidents highlighted persistent vulnerabilities in public infrastructure despite proactive defenses, with service disruptions demonstrating tangible impacts on critical digital services during high-profile international events.