Who is BSNL?
The telecommunications company Bharat Sanchar Nigam Limited (BSNL) is one of the vast networking service providers in government of India. BSNL serves its customers with various telecom services namely Landline, CDMA mobile, GSM mobile, Internet, Broadband etc. with its wide network all over the India.
A quick view of the fraud in a sequence:
A French Security Researcher, Baptiste Robert shared on his Twitter Handle ‘Elliot Alderson’ with an anonymous name, how he gained access by breaking into BSNL’s intranet system, by injecting SQL.
This helped him to gain access to entire database of employees in BSNL. The data contains employees name, designation, password, mobile number, date of birth, date of retirement, email addresses etc. He also asserts that the BSNL Websites intranetuk.bsnl.co.in and intranethr.bsnl.co.in has been attacked by ransom ware. This attack was unobserved by BSNL until he reported.
Two years ago, Sai Krishna Kothapalli, computer science engineer from IIT Guwahati had discovered this issue and wrote to BSNL. He also talked to their senior officials but there was no response from their side. Elliot Alderson also twitted this information.
“I discussed with @BSNL Corporate and a member of their IT team. They (BSNL) have acknowledged the issues and fixed them (after my report),” the researcher said.
This French Security Researcher has been alerting various government bodies about several security flaws in their networks from a long time. Last week, he exposed the security flaws in the private network of Bengaluru City Police. He also claimed that he had identified leaks from Telangana government website of MNREGA including their contacts and personal details.
How attack was initiated:
Elliot Alderson gained access to BSNL intranet by breaking into the system with embedding a malicious code through SQL injection.
SQL injection (SQLi) is a code injection technique in which attacker can execute harmful SQL statements that control a web applicant’s data base server. SQL injection can affect any website or any web application that uses SQL Database.
How it works: For a SQL injection attack the website needs to include user input within a SQL statement. An example of a SQL injection payload is as simple as setting the password. This would result in the SQL query and once this query executes the attacker will log in with the first account from the query result.
- The attacker got access to the database of BSNL containing the personal details of more than 47,000 employees including their name, designation, address, password etc.
- Other government bodies got alerted after this cyber-attack and started tightening their cyber security concerns.
Who should be concerned of Cyber Attack?
- For the Senior Management: The senior management must take concern about cyber-attacks for their company to secure their confidential data. The hackers always target the data which might harm your company.
- For Developers: Web Developers must be aware of Cyber Attacks and SQL injections as they develop the whole website and web-applications. The developers should take proper course of Cyber Security to protect their organizations from being attacked by hackers. To learn more about Cyber Security, Kratikal Academy is the best training institute which provides various cyber security courses both online and offline.
- For Students: With the shortage of Cyber Security Experts in all over the world. Every organization is looking for best Cyber Security Experts who can protect them from various cyber-attacks. Students have the right time to pursue their career in Cyber Security. Kratikal Academy provides the best Cyber Security courses to students who have keen interest in this field and help them in becoming an expert in it. Ethical hacking training not only helps students but even the corporate employees who are looking for a career ahead in Vulnerability Assessment and Penetration Testing Jobs.