The Intelligence Bureau and two national cyber security agencies – CERT-In and NCIIPC – have joined the probe into the ransomware attack on state-run explorer Oil India Ltd’s (OIL) headquarters at Duliajan in Assam on April 10 asking for a ransom of $75,00,000 (Rs 57 crore), sources sai, Trend reports citing The Times of India.
The level of the Centre’s response to the first publicly known cyber attack on an Indian oil company is significant as it comes within less than two months of alleged China-backed hackers targeting – without success – seven power grid controllers in the northern region.
The deployment of IB and the Central cyber security agencies indicates the government is not treating the attack on OIL as a wanton cyber extortion activity and wants to find out the possible role of cyber criminal syndicates or foreign-backed players.
Two representatives from each of these agencies reached Duliajan on Friday to join the probe by the local police following an FIR filed by OIL two days back.
Separately, OIL has also engaged a Delhi-based private cyber security agency with international exposure to look into the attack and chart a restoration road map after sanitising the IT infrastructure.
Company spokesperson Tridib Hazariak told TOI the attack affected a few servers and 3-4 individual work stations.
“Drilling operations and production are normal. We are making normal transactions as our SAP system is functional. Most of the data is safe since the infected servers were isolated. Currently being shared through other modes as and when required as our system has been disconnected from the internet,” he said.
“The impact was limited because the attack came on a Sunday when only a handful of workstations were in use. When those working reported network outages, the IT department immediately isolated them and disconnected the Internet to save data and the IT infrastructure from being corrupted,” he said.
Though the malware is yet to be identified, Hazarika said the private cyber security agency has “identified the course of action” and working on diagnosing, disinfecting and restoring. “It will be a gradual process. Even the unaffected servers and workstations will have to undergo diagnosis before being restored section by section.This may take some time.”
Asked about possible losses, Hazarika said the forward-looking language of the FIR saying “there may be some financial implications”, referring to the as-yet unknown aspects of the attack, was being interpreted as loss to the company or the exchequer. There is no loss as such, as of now, he said.