For the second time in March, Indian telco BSNL’s website has been hacked and this time, it’s not by an ethical hacker but a real sabotage group called LulzSec. The Indian arm of the group of hackers – or hacktivists as they call themselves – raided BSNL’s homepage and replaced it with a mocking message.
All this took place a couple of days after a French security researcher, who’s popular by his Twitter alias Elliot Anderson, discovered a major flaw in the internally accessible sub-domains of BSNL that gave him access to a database of 47,000 employees. In fact, this latest hack was also highlighted by the researcher who urged hackers to notify government officials of any security drawback instead of defacing a website.
But this attack on BSNL was partially a mockery, partially a form of protest against Indian IT Act of 2000 which allows ethical hackers to be prosecuted for finding out vulnerabilities in government and other publically relevant websites. Elliot also found another sub-domain on BSNL’s network disrupted by another hacker.
I found 2 hacked @BSNLCorporate subdomains this morning.
Please. Don't do that.
If you are skilled enough to deface websites, it's awesome. But please don't do it.
Alert the concerned owners, give them a chance. If they don't answer, let's discuss, I probably can help. pic.twitter.com/XmVfpEt6c6
— Elliot Alderson (@fs0c131y) March 6, 2018
This hack beats BSNL’s claims about being “fully geared up to prevent any data loss related to its employees, customers or stakeholders“. The telecom operator, which is yet to roll out 4G services widely in the country, boasted confidently of its “latest technology” as well as “full secure data centres” in a press release while responding to findings by Alderson. Though now it seems these claims now lie under the rubble of the company’s shattered reputation.
What is even more absurd that the hack could have been prevented had BSNL taken these claims seriously. Two years ago, an IIT Guwahati alumnus Krishna Kothapalli had tried to reach out to the telco, informing them of the vulnerability in the employee database, but did not receive any reply.
For now, there seems to be no reply from BSNL over Twitter or via the press. Moreover, there is no information about whether these miscreants only sabotaged the front page of operator’s website or stole data too. The website has now been restored.