Cyber Incident Victim: Insurance Information Bureau of India

A cyber incident involving the Insurance Information Bureau of India (IIB) was first detected on April 2, 2023, when some IIB staff members were unable to log into their office network. An immediate inquiry revealed that the agency was the victim of a ransomware attack. The attackers had successfully encrypted the data on IIB's servers, rendering it inaccessible to the organization. The intrusion into the network was later determined to have occurred through the FortiGate Firewall during the period between March 30 and April 3, 2023. The specific encryption process was initiated by the threat actor on March 31 using an executable file named Project1.exe.

Following the discovery of the attack, IIB officials conducted an internal cyber forensic audit. This investigation revealed the compromise was extensive, affecting nearly thirty server systems. The database files housed on these servers were encrypted by the attackers. Furthermore, the accounts of the system administrator and the database administrator were compromised, along with eleven other user accounts and several gadgets used by IIB staff. Analysis of firewall logs indicated that approximately 16GB of data had been exfiltrated from the network. Indicators from this data staging and exfiltration pointed to the attack originating from a Russian IP address. The attackers left a ransom note that provided contact details, a hallmark of a ransomware operation.

The IIB, an independent body that maintains a repository of insurance-related information in India, did not publicize the attack initially. Officials initiated communication with the ransomware attackers using the email address provided in the ransom note. Through this communication, the attackers demanded a ransom payment of Bitcoins equivalent to two hundred and fifty thousand US dollars ($250,000). The IIB officials did not comply with this demand and did not pay the ransom. The organization was able to continue its day-to-day business operations because it maintained a backup of its sensitive data. While a portion of the encrypted data was described as critical, officials were reportedly not in a desperate situation due to the existence of these backups.

The extent of the damage caused by the incident was still being assessed at the time of reporting. According to police sources, some of the encrypted data included confidential information, though investigators specifically stated they were yet to identify what kind of data had been encrypted. Persons aware of the developments confirmed that a breach had occurred and was being addressed at the highest level, stating that some data had been compromised and that the situation was ongoing. The IIB formally approached the Cyberabad police to report the crime. There was a period between the discovery of the attack and the lodging of the formal police complaint, which investigators attributed to the time IIB officials needed to understand the gravity of the problem and their subsequent attempts to restore the encrypted data with the assistance of cyber experts. The police investigation subsequently focused on efforts to identify the accused perpetrators. The incident occurred within a broader context of increasing cyberattacks on Indian institutions in recent years.