Cyber Incident Victim: Water Resource Department
Date:
Jun 2022
Location:
India
Summary
A ransomware attack targeted Goa's Water Resources Department flood monitoring system, encrypting critical operational data with an .eking extension and demanding cryptocurrency for decryption. The intrusion disrupted access to real-time river level monitoring across 15 disaster management sites, preventing retrieval of battery voltage readings, data packets, SMS alerts, email reports, and backup files while compromising data integrity. Attackers exploited outdated firewalls and absence of antivirus protections on the continuously internet-connected server during early morning hours, paralyzing flood response capabilities by blocking all data transfers and automated notifications essential for emergency coordination.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 21, 2022, between 12 am and 2 am, the Water Resources Department (WRD) of Goa experienced a ransomware attack targeting its flood monitoring system. Hackers infiltrated the department’s server, encrypting all files with an "eking" extension and demanding Bitcoin cryptocurrency as ransom for decryption. The attack disrupted critical operations by preventing access to real-time data essential for flood monitoring, including battery voltage readings, data packet transmissions, SMS alerts, and automated email reports. WRD executive engineer Sunil Karmarkar confirmed the incident, noting that the encryption altered the integrity of stored data, rendering previous backups unusable. The flood monitoring system, operational across 15 locations on major rivers in Goa, serves as a core component of the state’s disaster management infrastructure by tracking water levels to anticipate flooding. During the attack, personnel could neither retrieve historical data nor transfer new information, crippling situational awareness during the monsoon season.
The intrusion exploited vulnerabilities stemming from inadequate cybersecurity defenses, including outdated firewalls and the absence of antivirus software on the server. The system’s 24x7 internet connectivity provided continuous exposure to potential threats, facilitating the attackers’ access. Immediate operational consequences included the inability to generate automated SMS and email alerts, which are vital for disseminating flood warnings to authorities and the public. Data backups—critical for restoring operations—were also compromised due to the encryption’s impact on file integrity. The WRD did not disclose whether ransom payments were made or if decryption keys were obtained. The incident underscored the operational risks posed by unpatched infrastructure in critical public systems, particularly those managing environmental hazards. Recovery efforts focused on assessing data loss and restoring monitoring capabilities ahead of anticipated heavy rainfall periods.