Red teaming a country: Lessons learned from hacking India's government

In the midst of the COVID-19 pandemic, John Jackson was looking for ways to stay busy. Jackson is a renowned offensive security consultant and the founder of Sakura Samurai, a (now defunct) hacking crew that gained notoriety for plumbing the security of high profile business and consumer applications. 

At the time, Jackson and Sakura Samurai were particularly interested in so-called RVDPs, responsible vulnerability disclosure programs. A feature of modern security programs responsible disclosure programs are a kind of open door policy for (white hat) hackers to help organizations assess the security of deployed systems and applications, with the understanding that those individuals share their findings with the affected organization in a responsible manner.

RVDPs are particularly popular among (democratic) governments worldwide, allowing under-resourced agencies to tap into a global talent pool of offensive cybersecurity experts.

The U.S. government led the way in this regard, with a vulnerabilities equities program that dates back more than a decade. In recent years other governments including Australia, Canada, Belgium, and various EU nations have followed suit. Among the nations with responsible disclosure programs is India, where the country’s National Critical Information Infrastructure Protection Center (NCIIPC) hosts a vulnerability disclosure program.

It was that program that Jackson and Sakura Samurai were drawn to, he said in an interview for our ConversingLabs podcast, in part because the scope of the program was loose and capacious:

Our primary focus was governments because that's where there were a lot of shortcomings.

John Jackson

Listen to the full ConversingLabs interview with John Jackson

Government systems: Uniquely vulnerable

While both private and public infrastructure have proven themselves vulnerable, government systems are particularly porous. They’re also critical for supporting public health, public safety and other vital functions. 

After deciding on their target, Jackson and his colleagues put a list together of assets that were “in scope” and then began identifying and enumerating subdomains and other potential targets for their attention. 

It didn’t take long to hit pay dirt. When the operation was all over, Jackson and other members of Sakura Samurai had compromised 26 different Indian government departments and organizations. In the process of doing so, they identified vulnerabilities that exposed credentials for 35 separate databases and other sensitive applications; 3 separate instances of exposed files including sensitive police reports; and more than 13,000 records containing PII and a remote code execution (RCE) on a sensitive financial server used by the government. 

Their findings were disclosed to Indian government agencies. Sakura Samurai also published a detailed report on their findings. (GitGuardian also has a good analysis of Sakura Samurai's work.)

In this conversation, John and I talk about how he and Sakura Samurai went about assessing the security of Indian government systems. We discuss some of the creative tools and techniques that Jackson and his colleagues used to lay bare weaknesses in deployed applications and the role that supply chain weaknesses played in gaining access to sensitive data and systems. 

Jackson shares an excellent overview of the approach that skilled adversaries use to assess the weaknesses of deployed applications and IT assets — from scanning for subdomains hosting internal or public facing applications, to scouring public code repositories for leaked credentials and other secrets. 

Here's the full ConversingLabs interview with John Jackson: