e-Kawach unveils comprehensive cyber threat analysis report: Over 3.4 million attacks captured on simulated data centre network

The Research Wing of CyberPeace Foundation and Autobot Infosec Private Limited, in collaboration with the Ranchi Chapter of the Institution of Electronics and Telecommunication Engineers (IETE), proudly unveils the *e-Kawach April 2024 Cyber Threat Analysis Report*. This comprehensive report provides critical insights into captured cyber attacks on a simulated data centre network, emphasising the importance of robust cybersecurity measures in protecting critical digital assets.

“CyberPeace along with our CyberPeace Center of Excellence (CCoE) partners are deploying Threat Intelligence Sensors under the e-Kawach project across India. These sensors, located nationwide, emulate various infrastructures such as healthcare, refineries, and data centres. Our monitoring reveals a concerning rise in attacks on critical infrastructure in cyberspace.” Maj Vineet Kumar, Global president and founder of CyberPeace added.

The report presents vital insights into the cyber threat landscape observed during the analysis of a data centre network. Key findings include the targeting of SSH, HTTP, Telnet, HTTPS, and DNS protocols, indicating attempts to gain unauthorised access and disrupt network operations.

Brute force attacks utilised over 8,555 unique usernames and 55,129 unique passwords, suggesting widespread use of automated scripts underscoring the need for robust security measures like multi-factor authentication, network segmentation, and intrusion detection/prevention systems. The execution of terminal commands demonstrates efforts to control systems and gather information. Furthermore, the injection of 371 unique payloads and 208 URL downloads indicated malicious intent, involving malware, backdoors, and cryptocurrency mining or tools for persistent access.

Attacker Tactics, Techniques, and Procedures (TTPs) reveal key insights into the cyber threat landscape. SSH, HTTP, Telnet, HTTPS, and DNS were the most frequently targeted protocols, indicating efforts to gain unauthorised access or disrupt network operations.

Post-exploitation activities involved executing terminal commands and injecting malicious payloads into the infrastructure, while attackers gathered detailed system information and automated reconnaissance. Furthermore, attackers attempted to establish direct TCP connections to external entities after gaining shell access, possibly through SSH tunnelling, VPN usage, or socket connections to bypass security measures.

From October 1, 2023, to April 15, 2024, the deployed simulated network captured a staggering total of 3,469,986 attack events originating from 40,390 unique IP addresses globally with most traffic originating from the United States, China, Russia, Sweden, and India. The most frequently targeted protocols included SSH, which faced 344,051 attacks, followed by HTTP with 171,084 attacks, TELNET with 122,438 attacks, HTTPS with 62,214 attacks, and DNS with 8,830 attacks.

“Pattern analysis of the attack shows us that a lot of them are originating from IP addresses of foreign countries. However, attribution with regard to Cyberattacks is so complex. There may be some cases where either the actor from another country exploits the resources of that accused country to leave a footprint leading back to the same or they use VPN, proxy technology to mask their real origin. In such a type of provision, it is extremely difficult to make a proper attribution.

To come up with a solution for the issue with the attribution there is a need for International Cyber Cooperation between countries. By which the accused country can investigate their infrastructure and resources on their own to bust the criminal gangs running the Cyberattacks and fraud campaigns affecting individuals and organisations to make the Cyberspace resilient and peaceful.” – further the spokesperson added.

The *e-Kawach Initiative*, led by CyberPeace, aims to implement comprehensive public network and threat intelligence sensors across India, capturing internet traffic to analyse real-time cyber attacks. This initiative empowers organisations to build robust cybersecurity policies. This report was produced under the auspices of the Ranchi University – IETE-CyberPeace Center of Excellence (CCoE). It aims to identify signature-based indicators of compromise in a simulated data centre network and use this intelligence to prevent future attacks.