Cyber Incident Victim: Mumbai Police

On 2023-09-08, during the G20 Summit, the official websites of the Delhi Police and the Mumbai Police experienced significant disruptions, becoming inaccessible to users. Both websites displayed an error message stating “This service isn’t available” or “The service is unavailable,” indicating a service outage. The incident was first noted when the Delhi Police website was down for a duration of approximately ten minutes before being restored. According to threat intelligence platform Falcon Feed, the Pakistani hacktivist group known as Team Insane PK claimed responsibility for targeting these websites. The group publicly asserted its involvement through a post on the social media platform Telegram, a claim that was subsequently corroborated by Falcon Feed sharing a screenshot of this communication on X (formerly Twitter). This cyber incident was not an isolated event, as the Delhi Police website was reportedly targeted again the following day, on September 9th, by the same group, resulting in an extended downtime of at least thirty minutes.

The threat actor behind this incident, Team Insane PK, was identified by cybersecurity analysts as a religious hacktivist group that has been highly active in targeting Indian cyberspace since its emergence on February 2, 2023. The group's primary modus operandi involves conducting Distributed Denial-of-Service (DDoS) attacks and defacement attacks. A DDoS attack is a technique designed to overwhelm an online service or website by flooding it with an enormous and unsustainable volume of traffic from multiple sources. The intended result of such an attack is to cause a temporary or prolonged disruption of services, rendering the targeted website inaccessible to its legitimate users and thereby creating significant inconvenience and operational chaos for the affected organization. In this specific case, the attack on the police websites was successful in achieving this immediate goal of service disruption.

The timing of these cyberattacks was strategically significant, coinciding with the ongoing G20 Summit in which India was participating as a host nation. This period was one of heightened alert for Indian cybersecurity authorities. The broader campaign of attacks was not limited solely to the police websites; Falcon Feed indicated that hackers were targeting multiple Indian websites during this time. The initial discussions and planning for disruptive actions during the G20 were reportedly started by Indonesian hacktivist groups, including entities identified as Hacktivist Indonesia Jambi Cyber Team, Ganonsec, FR3DENS OF SECURITY, and host kill crew. This initial activity was later joined by Pakistan-backed groups, with Team Insane PK being a prominent participant. Falcon Feed further anticipated that additional groups would likely join the coordinated effort, suggesting a potential for an escalating threat landscape targeting Indian digital assets.

The fundamental motive driving these attacks, as explained by the cybersecurity firm, was rooted in political disagreements and the broader geopolitical climate. The statement drew a parallel to the impact of the Russia-Ukraine war on cyber activities, noting that political statements and international relations often have a substantial and direct impact on cyber space, leading to an increase in hacktivist operations. These groups engage in cyber warfare as a form of protest or to make a political statement, aiming to disrupt services and draw attention to their cause. In the context of the G20 Summit, the attacks were intended to disrupt the smooth conduct of the event and challenge the perceived cybersecurity preparedness of the Indian government.

In response to the heightened threat environment, the Indian government had already implemented a stringent “Zero-trust” security policy for the G20 summit. This security model operates on the principle of "never trust, always verify," requiring every device and individual to undergo strict verification processes before being granted permission to access or transfer data within a private network. Furthermore, access rights were severely limited for all users except administrators to minimize the potential attack surface. Additional physical and network security measures were deployed at the summit venue and associated hotels housing delegates. The government banned any external devices from connecting to the internet at the venue and tasked agencies like CERT-IN (Indian Computer Emergency Response Team) with utilizing advanced technologies and tools to proactively counter any cyber threats. Hotels were instructed to meticulously monitor and log all network activities and to disable any unused router interfaces and switch ports to prevent any unauthorized access attempts.

Despite these extensive preventive measures focused on the physical summit events, the publicly facing government websites, such as those of the Delhi and Mumbai police, remained vulnerable to external DDoS attacks originating from the internet. The incident underscores the persistent threat posed by hacktivist groups to government digital infrastructure. At the time of the reporting, the Delhi Police had not released an official statement regarding the cyberattack, leaving specific details about the breach's mechanism and the full extent of the impact unclear. The articles did not report any actual defacement of the websites or confirmation of a data leak in this specific instance, focusing instead on the service disruption caused by the DDoS activity. The repeated targeting of the same website within a short period highlights the relentless nature of the campaign waged by groups like Team Insane PK against Indian online assets. The incident serves as a prominent example of how geopolitical events can trigger coordinated cyber offensives from multiple activist groups across borders, aiming to cause disruption and garner attention for their causes through digital means.