ew Delhi: The CERT-In, investigating the cyberattack on NHAI has found that the internal network of NHAI office was compromised by unknown attackers in June last week. It has also found that there were suspicious logins using an unauthorised username made from IP addresses in Taiwan and Hong Kong.
The CERT-In has flagged significant cyber security gaps in the NHAI system and recommended the authority and the major IT service provider to take immediate measures to address the gaps and enhance security. NHAI officials claimed they have taken corrective measures.
The cyberattack had infected multiple servers and PCs by Maze ransomware, which had resulted in complete shutdown of the systems for nearly 48 hours. The attackers had also compromised Windows Active Directory Server of NHAI network and subsequently compromised internal systems, mail server and anti-virus server.
The cyberattackers had exfiltrated data and leaked sample data of two systems of NHAI in public domain. The released data included tax information, audit reports, passport copies, identity cards, assessment reports and other personally identifiable information and financial records of NHAI users.
During analysis, suspicious logins from IP addresses in Taiwan and Hong Kong to NHAI virtual private network (VPN) using an unauthorised username were also identified. The CERT-In has said this activity doesn’t appear to be related to Maze ransomware attack and it was possible that it could be a separate incident of compromise.