Cybercriminals are targeting elections in India with influence campaigns

Pierluigi Paganini May 22, 2024

Resecurity warns of a surge in malicious cyber activity targeting the election in India, orchestrated by several independent hacktivist groups

Resecurity has identified a spike of malicious cyber activity targeting the election in India, which is supported by multiple independent hacktivist groups who arrange cyber-attacks and publication of stolen personal identifiable information (PII) belonging to Indian citizens on the Dark Web.

India, with a population of over 1.4 billion and a GDP of over 3.417 trillion USD, has become a prime target for cyberattacks during its general elections scheduled between 19 April and 1 June 2024.

Multiple independent hacktivist groups are targeting India’s elections with influence and public opinion manipulation campaigns, Resecurity reports. The campaigns are designed to sway voters’ opinions and undermine trust in the democratic process. Attackers have also defaced websites and leaked data to launch influence campaigns against India’s government leaders, said researchers.

Around 16 different independent hacktivist groups are targeting Indian elections, including Anon Black Flag Indonesia, Anonymous Bangladesh, and Morocco Black Cyber Army, among others.

“These 16 groups have targeted multiple law enforcement, government, healthcare, financial, educational, and private sector organizations in India, taking advantage of geopolitical narratives before recent elections,” researchers noted.

Resecurity observed that the Ahadun-Ahad 2.0 Team has published Indian Voter ID cards on Telegram, which are issued by the Election Commission of India to 18+ individuals domiciled in India. The source of the data is unclear, but they suspect it is linked to compromised third-party entities. Earlier, cybercriminals have stolen AADHAAR, PAN, driving licenses, and NOC documents from the Dark Web, including 36 GB of personally identifiable information (PII) belonging to Indian citizens.

The data, primarily in graphic form with victims’ selfies, could be used to spread false information, undermine trust in the electoral process, and profit from selling stolen information on the dark web. Resecurity alerted law enforcement and federal authorities to the leaked data.

Besides graphical data files, including voter registration records and credentials from Voter Portal, the actors also leaked large data sets containing voters’ credentials collected using infostealers. Such malware programs, including Nexus, Medusa, Redline, Lumma, and Racoon, are designed to steal sensitive information such as login credentials and financial data. Specific signatures identified in leaked data sets may confirm that they originate not from any vulnerable election systems, but likely from compromised consumers with malicious code. The compromised credentials could have been obtained by intercepting login forms on popular Internet browsers or by accessing password storage on compromised devices. At some point, threat actors were aiming to leak a big number of voters’ records to create a perception that elections systems are vulnerable. In fact, the origin of these credentials is on the consumer side, as many Internet users are getting infected with malware due to poor network hygiene and lack of cybersecurity awareness.

Researchers also observed public opinion manipulation campaigns targeting Indian government leaders, using data leaks, website defacements, and political narratives. These ‘cyber-guerilla’ tactics blur attribution and operate under the ‘false flag’ of independent hacktivists aiming to create social conflict between Indian and Muslim populations.

Resecurity has summarized the key risk indicators of malicious activity to increase cybersecurity awareness among Indian citizens, encouraging them not to react to any claims or narratives originating from unreliable sources planted by cybercriminals, which could affect their votes.

The full report is available here:

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, India)

you might also like

leave a comment