Cyber Incident Victim: Indian Revenue Service
Date:
Mar 2020
Location:
India
Summary
A hacker using the alias "Bassterlord" advertised administrative access to an Indian tax office network on a Russian forum, claiming control of four devices and possession of approximately 800 GB of data including state documents, network shared systems, and sensitive personal information such as PAN cards, phone numbers, and emails linked to Gujarat. Analysis of supporting screenshots indicated potential Remote Desktop Protocol (RDP) compromise through credential exploitation or brute-forcing, with evidence of lateral movement within the network. The actor, a trusted forum member with prior sales of corporate RDP access, ceased offerings after public exposure, though the exact nature of the sale—data versus access—remained ambiguous. Sensitive records were verified as active and regionally consistent.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 26, 2020, a threat actor using the alias "Bassterlord" advertised administrative access to an Indian State Tax office network on a Russian hacking forum. The post claimed compromise of four network devices and possession of 800 GB of state documents, with sales inquiries directed to Telegram and email. The hacker provided five screenshots as evidence, analyzed to assess the claim's validity. One image displayed a system with three drives—Local Disc (C), New Volume (500 GB capacity, 465 GB used), and AUDIT (310 GB capacity, 290 GB used)—suggesting the 800 GB figure represented combined data from New Volume and AUDIT drives. Another screenshot showed network shared systems accessible via Remote Desktop Connection, with Russian text indicating RDP usage and an "admin" folder visible on the desktop, implying administrative credential compromise. Analysis suggested the access could have been obtained through RDP vulnerabilities, default credentials, or brute-force attacks.
Further screenshots included a Provisional Registration certificate issued to P N Goradia & Co. by the Gujarat government, with company details matching public records from IndiaMart. A Permanent Account Number (PAN) card for "Vishmit Enterprise" was also shown; verification revealed the PAN was active when corrected to "Vismit Enterprise," though the document contained non-public sensitive data including phone numbers and emails linked to Gujarat residents via Truecaller checks. The hacker had 14 forum reputation points and a history of selling legitimate RDP access to corporate systems without prior user complaints, including a March 23, 2020 post offering corporate network access. The actor ceased selling tax office access after the forum post gained public attention. Forensic review of shared network drives and device counts indicated possible lateral movement within the compromised tax infrastructure, though data exfiltration remained unconfirmed due to the logistical challenges of transferring 800 GB undetected.