Cyber Incident Victim: Bharti Airtel
Date:
Feb 2021
Location:
India
Summary
Airtel denied claims of a data breach impacting over 2.5 million subscribers, attributing allegations to the "Red Rabbit Team" threat actor group, which had made inconsistent claims over 15 months without providing conclusive evidence of a nationwide database compromise. While acknowledging potential regional exposure involving Jammu and Kashmir subscriber data through a portal video, the company disputed the hackers' assertions of a full system breach or shell access. Concurrently, unrelated reports emerged regarding a Malaysian e-payment provider's user accounts being listed for sale, though the parent company confirmed the incident was limited to a specific payment system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2021, Indian telecommunications provider Airtel faced allegations of a data breach impacting over 2.5 million subscribers. A threat actor group identifying itself as "Red Rabbit Team" claimed responsibility for the incident, marking the latest in a series of assertions they had reportedly made to Airtel over the preceding 15 months. The group allegedly posted subscriber data from India's Jammu and Kashmir region on a forum, accompanied by a video demonstrating access to Airtel's SDR portal. Airtel promptly denied the breach, characterizing the hackers' claims as inconsistent and unsupported by conclusive evidence. The company's spokesperson stated the threat actors had provided inaccurate data limited to one specific region and failed to substantiate their claim of possessing a comprehensive national customer database. While acknowledging the authenticity of a brief SDR portal video segment, Airtel questioned how the attackers obtained the Jammu and Kashmir subscriber records and dismissed their shell upload allegations as potentially fabricated. Security researchers observing the forum posts noted the absence of definitive proof validating the hackers' assertions.
The incident's scope remained contested, with Airtel maintaining that any potential data exposure was regionally confined rather than nationwide. Impacts were unclear due to disputed claims about the volume and origin of compromised records. Airtel's security team had engaged with the threat actors throughout the 15-month period preceding the public allegations, scrutinizing their evolving claims. The company's public response emphasized ongoing investigations while rejecting the narrative of a systemic breach. No evidence emerged confirming unauthorized access to payment systems, financial data, or critical infrastructure. Consequences included public scrutiny of Airtel's security posture and media coverage highlighting the contradictory narratives between the organization and the threat actors. The breach's validity remained unresolved, with neither conclusive proof of compromise nor successful extortion publicly documented following the company's denial.