The Indian consulate’s website is the latest Indian diplomatic internet outlet hacked by a person claiming to be a 17-year-old student in Tokyo who asserts that it was a well-intentioned attempt to show the vulnerabilities that “even kids could exploit”.
The person, using the identity Kapustkiy, who had earlier hacked the web sites of seven Indian diplomatic missions in Europe and Asia, posted on a public web site the partial personal information of 418 people registered with the consulate said to be taken by penetrating its website.
Last week web sites of Indian diplomatic missions in South Africa, Libya, Malawi, Mali, Italy, Switzerland and Romania were hacked and non-public information were posted publicly.
In an interview conducted by IANS on Monday using Twitter, Kapustkiy said: “It took me only three seconds to gain access to their database.”
“Even the kids could exploit it,” he said of the vulnerabilities in the way the programming language, SQL or Structured Query Language, was used on the web sites. SQL is used by web sites to manage databases.
His method was different from the hacking of Indian defense, business and media sites exposed last year by a Silicon Valley cybersecurity firm, FireEye, which said it was likely by China.
Those penetrations required more elaborate efforts like planting spying software in emails sent to people using those sites. But Kapustkiy’s methods appeared to be simpler and more direct, exposing more dangerous vulnerabilities.
The list said to be from the New York consulate was posted on a website, pastebin.com, which is open for public posting of information. The list was still on the site Monday night, even though the earlier postings from other Indian missions have been removed.
The consulate did not respond as of Monday night, New York time, to a request emailed to the press section for comments.
The web site says that it is powered by Ardhas Technology India Private Limited, which has its registered office in Erode, Tamil Nadu. A request to it for comment had not received a response by Monday night.
Kapustkiy said: “I don’t describe myself as a hacker or something, but as a security pentester.”
Pentester is short for penetration testers who examine the weaknesses of internet sites to intrusions.
On his Twitter account he also describes himself as a “cyber detective”.
The hack did not affect functioning of the consulate’s website while the non-public data was being extracted from it.
“I didn’t want to do any damage, but (only) to let administrators to pay attention (to the vulnerabilities),” Kapustkiy said.
“I could’ve leaked around 7,500 entries of people,” he said. “But I decided to leak only 400 entries which belong to the employees and not to the people. I could also leak there real address and zip code. But I didn’t do that.”
However, the partial list seen by IANS appeared to be information about people who had registered with the consulate rather than employees.
Kapustkiy said that he first reported the problems to the web site administrators but didn’t get a response.
“After all the media attention I gain they started to fix it,” he added.
He said that Indian officials have not contacted him.
Around 20 domains connected to the Indian missions were hacked in the past and although they have been patched, he said, “there were still some domains that were vulnerable to exploit. You could find the vulnerability in three secs.”
About his future plans, he said, “I think that I will continue look at vulnerables in important websites in Asia.”
Asked about his nationality, he said, “I don’t want to tell where I’m from, but most media are claiming that I’m from the Netherlands.”