Following a recent cyberattack on the Federal Board of Revenue (FBR), its hackers have no access to the information of the taxpayers maintained in the form of a database by the FBR.
Top FBR officials told Propakistani, “Yes, the cyberattack affected all our online systems of the FBR official website, but the data of Pakistanis citizens is fully secured”.
So far, the FBR has been able to restore its official website dealing with all its tax-related functions.
Hackers had taken control over the tax authority’s system, which was later retrieved by the FBR, However, the hackers still have the information they obtained. The access to the FBR’s system is now being sold off for $30,000 on a Russian forum.
According to Hackread, the hackers managed to breach the Microsoft Hyper-V software and took down the official website of the agency along with all of its subdomains. The hackers are currently selling the FBR’s network access for $26,000 (PKR 4,274,000). The group is also demanding $30,000 (PKR 4,000,000) else they will infect all the devices on the FBR’s server and transfer them to interested buyers. The identity of the hacker group is still unknown.
Umair Ali Zafar, Principal Security Engineer at Ebryx exclusively told ProPakistani,
In recent times, threat actors have amassed huge resources and it has become difficult even for organizations with huge resources to defend against them, as can be seen with the recent Solarwinds hack that compromised a lot of US govt entities and private organizations. This is due to huge payouts in return for ransomware campaigns that are very lucrative for the threat actors. This has turned the tide largely against the defenders. Resources that were earlier only accessible to state actors are now also accessible to non-state threat actors, which has made them sophisticated. Pakistan has long been a target of sophisticated state and non-state threat actors, but unfortunately, we have mostly seen a reactive approach to cybersecurity incidents.
He stated that in this particular scenario, the threat actors sent emails with malicious documents in the attachments. These emails looked like they came from valid email addresses of the Govt of Pakistan, the Ministry of IT, and Telecom, but they were actually spoofed. The documents were crafted to gain the interest of the receiver, but when opened, infected the system.
“Once one system is affected, that system can be used to gain access to other systems on the network, which leads to compromise of the whole organization. At least since last Tuesday, the access to 1500+ systems of FBR was being sold online on a forum, for $26,000. Threat intelligence about these emails was circulating since at least early July,” added Zafar.
How to Counter them?
“While the initial breach is hard to detect. Most of the time, when the threat actor tries to achieve persistent access to the network, or when they try to move laterally in the network, they leave a lot of traces on the systems. So even if a threat actor is able to gain initial access, it is possible to detect the subsequent actions and thwart them,” said Umair.
He noted that good security hygiene goes a long way in securing the networks. “There is no silver bullet, but a proactive approach with a security-focused mindset and continuous awareness regarding ongoing campaigns can help secure the networks to a reasonable extent.”
“In this particular scenario, I have seen data that suggests that the FBR was a target since at least a month or so back. The access to their network was being sold at least a few days before they found out about the attack. This means they had some time to respond to the initial attack before it went catastrophic. Ideally, they should have a robust security program, comprising inventory of all their hardware and software assets, strict access controls, and logging of data at the network and endpoint level,” he stated.
Umair told Propakistani that there should be a dedicated team that constantly monitors this data, as well as threat intelligence feeds. This way, they will be able to respond to threats before they do serious damage, even if they are able to breach the network in the first place.
The FBR’s IT team, including IT professionals and officials of Pakistan Revenue Automation Limited (PRAL), worked on the restoration of the FBR’s systems on Sunday.
All of the FBR’s websites, including an official website, return-filing ‘IRIS’, FBR-Taxray, E-payment, sales tax refund status, the Tax-Assan App, e-registration, income tax registration, refund modules, and customs clearance WEBOC were non-functional.
Taxpayers had been unable to file income tax returns, withholding statements, and monthly sales tax returns on Sunday.