Based on matching fields from Telegram data and previously reported incidents affecting health workers, the team from cyber-security company CloudSEK said that the information was scraped through these compromised credentials and the claims need to be verified individually.
CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a Telegram bot that offered personally identifiable information (PII) data of Indian citizens who had allegedly registered vaccines from the CoWIN portal.
“It is believed that the threat actors have obtained multiple credentials belonging to health workers, which they can use to access the CoWIN portal and its associated data,” according to researchers.
On March 13, 2022, a threat actor on a Russian cybercrime forum advertised compromised access to the CoWIN portal, sharing a screenshot of the CoWIN database portal affecting the Tamil Nadu region.
“There are numerous healthcare worker credentials available on the Dark Web for the CoWIN portal, highlighting the need for better endpoint security measures for healthcare workers,” the team highlighted.
The Union Ministry of Health and Family Welfare (MoHFW) on Monday dubbed the alleged data breach of Covid-19 vaccine beneficiaries as “mischievous in nature”, saying that the CoWIN portal is completely safe with adequate safeguards for data privacy.
The Ministry also said that it has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report, besides initiating an internal exercise to review the existing security measures of CoWIN.
According to cyber-security researchers, the Covid data bot was offered by a channel called ‘hak4learn’, which frequently shared hacking tutorials, resources, and bots for individuals to access and buy.
Initially, the bot was available for everyone to use, but it was later upgraded to be exclusive to subscribers.
“The bot is currently down and might come up later as mentioned by the admin of the channel,” said CloudSEK.
Union Minister of State for Electronics and IT, Rajeev Chandrasekhar had said that it does not appear that the CoWIN app or database has been directly breached.