India has been aggressive with its vaccination drive since its launch in January 2021, for health care and frontline workers first in line. The second phase of the vaccination program for the public kickstarted on March 1, 2021. The two vaccines being administered include “Covishield” from the Serum Institute of India and “Covaxin” from Bharat Biotech. Technology plays a critical role in planning, deploying, and monitoring vaccination programs. Hence, citizens are urged to register via Aarogya Setu or on the CoWIN website. However, hackers are testing the country’s digital architecture, and allegedly impersonating the legitimate CoWIN website to coax citizens into registering on the fake portal and exfiltrate their personal information.

RDP Attacks Skyrocket

Remote work continues to top the business continuity operations in India. According to a cybersecurity report from Kaspersky, India witnessed 9.04 million brute-force attacks against remote desktop protocol (RDP) in February 2021, compared to 1.3 million in February 2020 and to 3.3 million in March 2020. Working in decentralized environments has become the new normal and brute-forcing RDPs, the most common technique for cybercriminals to gain access to Windows systems and execute malware.

“Remote work isn’t going anywhere. Even as companies begin considering re-opening their workplaces, many have stated that they will continue to include remote work in their operating model or pursue a hybrid format,” said Dmitry Galov, a security expert at Kaspersky. “That means it’s likely these types of attacks against remote desktop protocols will continue to occur at a rather high rate. 2020 made it clear that companies need to update their security infrastructure, and a good place to start is providing stronger protection for their RDP access.”

The New-age Oil Leaks Copiously

The data breach landscape in India, pre-COVID, was simple. Adversaries launched ransomware attacks by encrypting the data on vulnerable systems and demanding ransom in exchange for a decryption key. Cybercriminals were complacent in inventing new attack vectors. But as the adage goes, change is the only constant. Today, ransomware groups are re-inventing their modus operandi to not just attack the data or “the new-age oil,” but the brand image of a business. With improved infrastructure, India is opening its doors to global market players. Threat actors are leveraging this opportunity to attack the brand image of a business/enterprise by dropping malware payloads on the targeted system and exporting data, in turn damaging intellectual property and national security.

The recent MobiKwik data leak exposed the data of 3.5 million users, with 6TB of KYC details and 350 GB of compressed MySQL dump. To add to the list, the personal information of 533 million Facebook users from 106 countries was leaked for free on an underground hacking forum – with 6.1 million users from India alone. And if this was not enough, India’s second-largest stockbroker, Upstox, was reportedly the latest victim of a breach, allegedly leaking data of 2.5 million users.

Souring India-China Relations

Ever since the pandemic broke out, India’s relationship with China turned sour. This was evident in the Mumbai power outage in October 2020, which crippled the financial capital with chaos. An investigation from Maharashtra cyber department revealed a malware attack with unaccounted data transfer from a foreign server to the Maharashtra State Electricity Board (MSEB) server. However, evidence from Recorded Future underlined the geopolitical tensions and border clashes between the two Asian neighbors. It claimed that Chinese-state sponsored group “RedEcho” targeted India’s power grid. However, it did not stop here. CERT-In averted a hacking attempt on Telangana state power utilities, TS Transco and TS Genco, by a Chinese cybercriminal hacking group.

In the past, the Indian government alleged Chinese threat actors for attacks on the National Informatics Centre (NIC), the National Security Council (NSC), and the Ministry of External Affairs (MEA). The transformative role of technology impacted Indian cyberspace and the information sector. Another report stated that India was named one of the most cyber-targeted countries globally in 2019, with over 50,000 cyberattacks from China alone. Whereas, the IBM Security report titled “2021 X-Force Threat Intelligence Index,” revealed that India was the second most cyberattacked country in the APAC.

Where do we go from here?

Apart from vaccine disruptions, RDP attacks, and foreign intrusion, team CISO MAG continues to observe common attack trends such as phishing and business email compromise directed towards Indian governments and enterprises. Armies in countries like the U.S. have a cybersecurity unit (U.S. Cyber Command) that is responsible for countering cyberwarfare. India has cyber cells attached to its state police forces, and in a similar vein, the Indian government needs to seriously consider a cyberwarfare unit within the armed forces and scale up its cyber maturity.

Cyberwarfare is here to stay threat actors are eyeing every chance to sabotage the country’s defense mechanism. Out of the many attempts made by security agencies, India’s agility in incident response has been inadequate. And with the soaring second COVID-19 wave, it would be interesting to watch how India combats the vicious nature of existing and new cyberthreats


Phase 1 was all about employee access, network communications confidentiality/integrity, and basic endpoint security. The next phases will move quickly from risk assessment to mitigation.

As most CISOs know all-too-well, large-scale work from home (WFH) initiatives due to COVID-19, where the priority was getting users up and running as quickly as possible, forced security leaders into an unanticipated follow-on sprint to deliver elementary security safeguards for remote employees (i.e., VPNs, endpoint security controls, network security controls, etc.).

This is the new reality, and it’s an ongoing scramble, but what comes next? 

Let’s call the current situation phase 1, which is about employee access, network communications confidentiality/integrity, and basic endpoint security. 

Some organisations are implementing split tunneling so key employees can access VPNs and the internet simultaneously.  Some are paying to upgrade employee bandwidth — especially for executives spending their days on videoconference meetings while their children use the same networks for home schooling.  Back at corporate, there’s also lots of load balancing and SD-WAN activity.

From a security perspective, forward-thinking CISOs are now on to phase 2 focused on situational awareness and risk assessment.  This is directly related to the fact that a lot of LAN traffic has been rerouted to WANs and internet connections.  The goal?  Scope out the new realities of usage patterns and the attack surface.

In about 4 weeks, organizations will have visibility and enough historical data to proceed to phase 3, a full risk assessment and a board-level report.  These reports will examine the WFH infrastructure, new traffic patterns, perceived vulnerabilities, rising threats, etc.  They will also dig into a more thorough look at emerging WFH issues like insider threats, expansive privileges, data security exposures, insecure cloud application configurations, and others.  The goal?  Quantify risk and then work with executives to prioritize actions.

This leads to phase 4, which is all about risk mitigation.  Based upon my conversations, the goal is to address this by mid-May at the latest.  During the risk mitigation phase, organizations will likely employ controls for data privacy/security, least privilege to networks and applications, and segment home network traffic to protect WFH assets from gaming systems, smart refrigerators, security cameras and the like.  We’ll see more deployment of technologies like multi-factor authentication (MFA), zero trust networking tools, privileged account management, and DLP/eRM at that point.  Process automation will also be added during this period. 

At the end of phase 4, WFH should be set up for threat prevention, detection and response — at scale.

A few final things I’ve heard:

  1. While the four phases are a general project plan, CISOs are also busy patching tactical holes like blocking Zoom bombing by using meeting IDs and issuing passwords. Issues like this come up daily.
  2. Another thing I’m hearing about is securing “shotgun” applications, developed and deployed quickly to support remote workers, business partners and customers.
  3. Security will continue to play catch up with IT leading to network performance and service availability. User support and productivity is paramount while security remains behind the scenes.
  4. The need for speed is causing CISOs to have a “SaaS first” mentality.
  5. CISOs are taking a long-term approach since no one can tell how long the lockdown will last. Many also feel like this is a game-changer for the future of IT and security.