HomeThe Kill Chain of Tata Power HackBlogThe Kill Chain of Tata Power Hack

The Kill Chain of Tata Power Hack

Summarised By – Miss Randrita Sarkar

Cyberattack hits IT systems of India’s power generation giant Tata Power.

Tata Power reported on 14th October 2022 Friday that a cyberattack had impacted its information technology (IT) infrastructure and processes. According to a BSE disclosure, Tata Power Corporation Limited faced a cyberattack on its IT infrastructure, disrupting some of its IT systems. It further said it had taken steps to retrieve and restore the affected machines, adding it put in place security guardrails for customer-facing portals to prevent unauthorized access.

“All critical operational systems are functioning; however, as a measure of abundant
precaution, restricted access, and preventive checks have been put in place for
employee and customer-facing portals and touchpoints.”

The gigantic electricity company launched operations right away to respond to the incident and repair the affected systems. However, for precaution a restricted access and preventive measures have been implemented for employee and customer facing portals and touch points. The company determined that the targeting is likely a prelude to future activities or is meant to facilitate information gathering related to critical infrastructure assets.

Data Leaked in the Dark Web

The Hive, a ransomware gang, allegedly leaked a packet of important data stolen from Tata Power servers on October 14, 2022, on the dark web. Hive took responsibility for the cyberattack and began releasing hacked data on its dark web forum. Hive is known to target sectors like energy, healthcare, financial services, media, and education, together with other ransomware affiliates.

Hive was first observed in June 2021 as an affiliate-based ransomware gang. They utilize a wide range of techniques and tactics that are difficult for cyber security professionals to defend and mitigate. Analysts and researchers have observed that most ransomware threat actors focus on a single platform, such as Windows, to launch their attacks. Hive, on the other hand, uses multiple platforms, including Windows, Linux, and ESXi hypervisors. The threat actors developed the ability to run their ransomware against ESXi, according to Adam Meyers, Vice President of CrowdStrike. Hive is designed for distribution in a Ransomware-as-a-Service model, allowing affiliates to use it as desired.

The Kill Chain Analysis of the Hive Group

Initial Access

Proxy Shell Vulnerabilities.


Cobalt Strike & persistence C&C

Defense Evasion

New User using Mimikatz


RDP, WMI & PsExec to deliver payloads.


7Zip, MEGASync, Annonfiles, etc.


RTLGenRandom API. The victim will then be handed a plain text ransom note with instructions on how to pay the ransom.

Leave a Reply

Zeron ISO 27001
Zeron SOC2
ZERON Star Level I

409, ATL Corporate Park, Saki Vihar Rd, Saki Vihar, Ansa Industrial Estate, Chandivali, Powai, Mumbai, Maharashtra 400072

Copyright: © 2023 Zeron | Teamcognito Solutions Pvt Ltd. All Rights Reserved.

Follow us on social media