New Delhi: From upgrade plans for the T-90 tanks to certain projects under development by the Defence Research and Development Organisation (DRDO), a host of confidential defence ministry documents are being sold on the dark web.
A hacking group called Babuk Locker 2.0, which was originally a Thai group and is now run by a different set of hackers, claimed responsibility on 10 March for infiltrating DRDO’s systems, and pilfering classified defence documents and a vast repository of credential logs.
Three days after their initial claim, Babuk Locker 2.0 publicly released 753 MB of the hacked documents.
The hacking group claimed that the breach compromised 20 terabytes (TB) of sensitive military data, including a “secret” document related to a strategic defence project. However, sources in both government and the private sector asserted that this is a much-exaggerated claim.
Sources in the defence and security establishment told ThePrint that a review of the released documents did not show any actual intrusion into the Indian system. They said that the files and documents seemed to have been hacked from an internet-linked computer belonging to an IAS officer, who worked as a former joint secretary of the department of defence production.
“Details available show that a breach did take place, but it is at an individual level. The files seem to be at least 4 years old and more,” a source said.
While the hackers claimed to have got details of the evacuation protocols for the President, the Prime Minister and other VVIPs in case of an aerial attack, the sources said that these protocols are not under the purview of the department of defence production and are handled by a separate team.
Athenian Tech, a private cyber and data security firm, which was the first to highlight the leak in its report, also agreed with the assessment.
“The leak appears to have originated from the desktop or handheld device of the IAS officer, which was connected to the regular internet,” said Kanishk Gaur, CEO of Athenian Tech, told ThePrint. “It does not seem to have come from the desktop linked to the secured defence ministry network, which follows more stringent access controls.”
The Athenian Tech report said that the leaked dataset contained procurement reports, technical presentations, tender documents, and personal identification records.
Also Read: 704 BRO personnel, 575 casual paid labourers killed in last five years, MoD tells Parliament
Inconsistencies in extortion strategy
Among the leaked materials was a “secret” document dated December 2020, referencing a military construction project of the Indian Air Force (IAF). The data archive also included an engineering diagram of the 84mm RL Mk-III composite barrel, developed by DRDO’s Armament Research & Development Establishment (ARDE), Pune.
Athenian Tech added that further analysis of Babuk Locker 2.0’s engagement tactics reveals inconsistencies in its extortion strategy.
The group initially demanded a ransom of $25,000 but quickly dropped the price to $5,000, an unusual move for ransomware operators dealing with high-value intelligence.
Their refusal to provide additional proof of breach, their history of repurposing old leaks, their claim that DRDO had already paid them $300,000 to not disclose the data, and their repeated attempts to sell the data, despite getting a higher price than what they initially asked as ransom, suggests that the group could be trying to inflate their perceived impact than executing a large-scale cyber-espionage operation, it said.
The firm added that the leaked data included information like “sensitive defence documents including budget allocations, procurement plans, military modernisation, and strategic foreign collaborations. Further, the leaked data also contained files that have information about India’s defence collaborations with countries such as Finland, Brazil, and the United States of America”.
However, the crux of the matter, according to Athenian Tech, is that data breach did take place.
“The presence of defence-related documents on a personal system indicates potential lapses in endpoint security, inadequate data handling policies, and the risks posed by officials storing sensitive information outside secured networks,” it said in its report.
“While Babuk Locker 2.0’s claims of a large-scale breach appear exaggerated, the exposure of confidential defence files—even from a single system—highlights an urgent need for stringent cybersecurity measures, improved access controls, and proactive monitoring to prevent further exposures of critical defence data.”
Gaur said: “The biggest security risk isn’t always a sophisticated, state-sponsored cyberattack coming from an Advanced Persistent Threat —it’s often individual lapses in data handling.”
“Government officials storing and transmitting classified documents on personal devices represents a fundamental breakdown in security protocols. This incident highlights the urgent need for robust data segregation policies—sensitive files must never be accessible outside government-approved, secure systems.”
(Edited by Sanya Mathur)
Also Read: Army successfully tests indigenous FPV armed drone like those deployed in Ukraine war