Wednesday, January 24, 2018
Amit Dubey(Cyber Expert)

WHO ARE LEGION?

We recently witnessed a massive trolling of some popular figures on twitter when their accounts were hacked. But to us it may have been moments of comic relief, our cyber expert, Amit Dubey, tells us of the security threat that the group could be moving towards.

A few days back many Indian banks faced a cyber-attack and over 3.2 million debit card details were stolen by few unknown hackers, we would have never thought that it was just a beginning. State Bank of India, ICICI Bank, Yes Bank, Axis Bank and HDFC Bank are said to have been hit the hardest by the breach, which is believed to have taken place several weeks ago.

Though, it started with ATM and Debit cards hacking on mass scale and then with the recent attempt of twitter hackings of some celebrities and politicians, it raised questions on safety of Digital India vision.

A hacker group “Legion” took the responsibility for the recent hacks of digital accounts of prominent Indians. They also warned that the Indian banking system is “deeply flawed” and that the group does not believe in a cashless economy. It was first time that a hacker group was exposing itself and claiming the responsibility of such attacks. This started an unending debate on news channels, created lots of curiosity among people and the IT minister, Mr. Ravi Shankar Prasad had to order an IT audit of all the banks.

I got calls from many people, police officers and journalists and they wanted to understand more about this group, they even enquired if I can reach to this group. I started my own investigation to reach to them by understanding their way of attack, hacking claims, political inclination, interview to media, etc.

I could drive few facts by this investigation, the way they have hacked the twitter accounts it is clear that they are not targeting the servers, they couldn’t hack the twitter server. In fact, they had the correct password of the targeted accounts and that’s why they could login in the system without any issue.

Now, the question is, how they got those passwords. We assume that they have first hacked the email ids of the targeted people and then they used that email id to recover/change the twitter passwords, which is a normal practice. Coming back to email hacking, they would have used phishing techniques by sending an email to those people.

If we go with their confidence level, it seems a smart phishing attempt. Because, they have hacked more than 20 email ids of Vijay Mallya and that was possible because when we open a new email account we give one email id as the reference one and that is used to recover the lost password, so in a way all these email ids are connected.

But there were many more questions, why are they doing so? What is their vision and who would be their next target, what could be the size of this group, do they have any Indian members too or are they politically inclined?

Yes, if India is so important to them then there is surely some Indian hackers in the group and by just hacking twitter accounts, they can’t achieve much. They could have done bigger damage by hacking the email ids. But what is the reason that they didn’t reveal any such confidential details or internal email of those people? They just posted some tweets and that’s it. Now, this appears strange and it gives a hint that they wanted to create strategic damage and impact, their intention was just to alert, not to damage. It’s hard to believe that they didn’t reveal much more sensitive details of the hacked emails, which they could have done easily or are they waiting?

Though, the objective of this group is quite clear, they are targeting corrupt people but it seems they are threatening the Indian Government that they will hack sansad.nic.in as their next target. This is an open challenge and this has really given sleepless nights to many politicians.

As we know, they have hacked till now, the twitter and email account of Congress vice president Rahul Gandhi, following that up by hacking into the official accounts of the Indian National Congress, Liquor baron Vijay Mallya, journalists Barkha Dutt and Ravish Kumar, as well as news channel NDTV. The group has made public the dumps of some of these email accounts.
This definitely gives a hint that the group has some political inclination or priorities, now as far as I know, hackers never work like this. They normally don’t reveal their identity and they never show any political inclination. Though, they could surely have some priorities but if they are really a network of people then they are a threat to everybody. This could be a good opportunity for the government to review and audit their security policies and networks and do a better shielding against such attacks.

Somebody asked me if we can track these hackers? And how should the law enforcement agencies stand in tracking such virtual attacks.

They are quite advanced and untraceable at the moment until and unless they make a mistake.  They have used proxy servers of US, Sweden, Romania and Canada while making such cyber-attacks and tweets, which makes it very clear that at least they don’t belong to any of these countries. It’s obvious that any hacker would use proxy server of that country where he does not have any physical presence, so he would always be unreachable by local law enforcement agencies.

The literal meaning of legion is a division of 3,000–6,000 men, including a complement of cavalry so by choosing this name they may want to give a hint that they are a large group of people but by going with our standard investigation protocol, hackers always leave a hint contradictory to what they really are. Now by this assumption, they are surely not a big group, they may be a small group of people or even a single man sitting somewhere, maybe in an IT company as a normal software engineer and a completely unknown person. Who are the Legions in this case, we will probably know that soon, I HOPE.

January-2017