Cyber Incident Victim: Indian Organization in Mumbai
Date:
Sep 2023
Location:
India
Summary
A cyberattack targeted an Indian organization in Mumbai, causing temporary website downtime with error messages indicating service unavailability. The incident occurred amid heightened cybersecurity concerns during an international summit, with the Pakistan-based hacktivist group Team Insane PK claiming responsibility for distributed denial-of-service (DDoS) attacks. This religiously motivated group has persistently targeted Indian cyberspace since early 2023, employing both DDoS and defacement techniques to disrupt services. Threat intelligence indicated potential involvement of additional hacktivist groups from Indonesia and Pakistan, with attacks primarily focused on government infrastructure. The attackers' motives appeared linked to geopolitical tensions, while Indian authorities implemented enhanced security measures including zero-trust architecture and network activity monitoring to protect critical systems during the summit period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 8, 2023, during the G20 Summit hosted in India, the official websites of Delhi Police and Mumbai Police experienced service disruptions. Both websites displayed error messages stating “This service isn’t available” or “The service is unavailable,” rendering them inaccessible to users. The Delhi Police website remained down for approximately 10 minutes before being restored, while the Mumbai Police website’s outage duration was not explicitly specified. Threat intelligence platform Falcon Feeds attributed the attacks to “Team Insane PK,” a Pakistan-based religious hacktivist group active since February 2023. The group publicly claimed responsibility via Telegram, sharing screenshots of their announcements on the platform. Falcon Feeds identified the attacks as Distributed Denial of Service (DDoS) incidents, a method involving overwhelming targeted systems with excessive traffic to disrupt services. The group historically employs DDoS and website defacement tactics, with geopolitical motivations linked to political disagreements.
The attacks coincided with heightened cybersecurity measures implemented by Indian authorities for the G20 Summit, including a government-mandated “zero-trust” security policy requiring strict verification protocols for network access. CERT-IN (Indian Computer Emergency Response Team) deployed advanced tools to monitor and counter threats, while physical security measures included banning external devices at summit venues and delegate hotels. Hotels housing delegates were instructed to log all network activity, disable unused router interfaces, and restrict switch ports to prevent unauthorized access. No official statements from Delhi or Mumbai Police confirmed data breaches or detailed technical compromises, though Falcon Feeds noted attackers’ intentions to “disrupt services or expose data.” The incident highlighted ongoing cyber threats from hacktivist groups during high-profile events, with Indonesian groups like Hacktivist Indonesia Jambi Cyber Team and Ganonsec also reportedly discussing targeting Indian infrastructure. Service restoration occurred without publicized technical remediation details from the affected organizations.