Cyberattack on NHAI Traced to Taiwan and Hong Kong IP Addresses | India News

NEW DELHI: The government’s nodal cybersecurity agency, CERT-In, which assessed the recent cyber attack on the NHAI, has pointed to significant gaps in the highway authority’s cybersecurity measures.

It found that there were multiple attacks, including some suspicious logins to NHAI’s virtual private network (VPN) using unauthorized user names from IP addresses in Taiwan and Hong Kong. The CERT-In has said that this activity does not appear to be related to the Maze ransomware attack and may be a separate effort to compromise the network.

The agency has said that the analysis could not move forward to determine the full scope of the compromise, as no network firewall logs were being kept and there were no other perimeter security devices or security devices or event management system in place. place.

CERT-In has noted the significant cybersecurity gaps in the NHAI system and recommended to the authority and the major IT service provider that they take immediate action to address the gaps and improve security. NHAI officials stated that they have taken the corrective actions recommended by CERT-In.

The cyberattack had infected multiple servers and PCs with Maze ransomware, resulting in a complete shutdown of systems for almost 48 hours. The attackers had also compromised Windows Active Directory Server on the NHAI network and subsequently compromised internal systems, mail server, and antivirus server.

The NHAI was recommended to replace active directory servers, disable suspicious VPN accounts, and block malicious IP addresses as immediate measures.

Sources said that CERT-In has said that cyber attackers had exfiltrated data and leaked sample data from two NHAI systems into the public domain. The data released included tax information, audit reports, copies of passports, identity cards, evaluation reports, and other personally identifiable information and financial records of NHAI users.

