Following the dismissal by the union health ministry of reports regarding a data breach on the CoWIN platform, cyber security firm CloudSEK has now stated that “threat actors do not have complete access to the portal or the backend database.”
CloudSEK conducted an analysis and suggests that the information might have been obtained through compromised credentials. They matched fields from Telegram data and previous incidents involving health workers in a specific region to make this assumption. However, CloudSEK emphasizes the need for individual verification of these claims.
CloudSEK has revealed information regarding Russian hackers who claimed to have compromised India’s health ministry website and gained access to the CoWIN portal in the Tamil Nadu region.
The hacker group, known as Phoenix, stated that the attack was in response to India’s adherence to sanctions imposed by G20 countries on the Russia-Ukraine conflict.
CloudSEK explained that the motive behind the targeting was India’s compliance with sanctions and the price ceiling for Russian oil set by G7 countries. In their analysis, CloudSEK found that the breach was related to a health worker rather than infrastructure.
The compromised content matched the details displayed on the Telegram bot mentioned in the media, including the individual’s name, mobile number, identity proof, identification number, and completed doses.
CloudSEK also highlighted the availability of healthcare worker credentials on the dark web, attributing the issue to inadequate endpoint security measures for healthcare workers rather than inherent weaknesses in CoWIN’s infrastructure security.
The Union health ministry dismissed the claims of a data breach, assuring that the CoWIN portal had sufficient safeguards for data privacy and labeling the reports as “mischievous.”
