Summarised By – Miss Randrita Sarkar
Cyberattack hits IT systems of India’s power generation giant Tata Power.
Tata Power reported on 14th October 2022 Friday that a cyberattack had impacted its information technology (IT) infrastructure and processes. According to a BSE disclosure, Tata Power Corporation Limited faced a cyberattack on its IT infrastructure, disrupting some of its IT systems. It further said it had taken steps to retrieve and restore the affected machines, adding it put in place security guardrails for customer-facing portals to prevent unauthorized access.
“All critical operational systems are functioning; however, as a measure of abundant
precaution, restricted access, and preventive checks have been put in place for
employee and customer-facing portals and touchpoints.”
The gigantic electricity company launched operations right away to respond to the incident and repair the affected systems. However, for precaution a restricted access and preventive measures have been implemented for employee and customer facing portals and touch points. The company determined that the targeting is likely a prelude to future activities or is meant to facilitate information gathering related to critical infrastructure assets.
Data Leaked in the Dark Web
The Hive, a ransomware gang, allegedly leaked a packet of important data stolen from Tata Power servers on October 14, 2022, on the dark web. Hive took responsibility for the cyberattack and began releasing hacked data on its dark web forum. Hive is known to target sectors like energy, healthcare, financial services, media, and education, together with other ransomware affiliates.
Hive was first observed in June 2021 as an affiliate-based ransomware gang. They utilize a wide range of techniques and tactics that are difficult for cyber security professionals to defend and mitigate. Analysts and researchers have observed that most ransomware threat actors focus on a single platform, such as Windows, to launch their attacks. Hive, on the other hand, uses multiple platforms, including Windows, Linux, and ESXi hypervisors. The threat actors developed the ability to run their ransomware against ESXi, according to Adam Meyers, Vice President of CrowdStrike. Hive is designed for distribution in a Ransomware-as-a-Service model, allowing affiliates to use it as desired.

The Kill Chain Analysis of the Hive Group
Initial Access
Proxy Shell Vulnerabilities.
Execution
Cobalt Strike & persistence C&C
Defense Evasion
New User using Mimikatz
Lateral
RDP, WMI & PsExec to deliver payloads.
Exfiltration
7Zip, MEGASync, Annonfiles, etc.
Impact
RTLGenRandom API. The victim will then be handed a plain text ransom note with instructions on how to pay the ransom.