STAR HEALTH INSURANCE — AN INSIDER BREACH: Unveiling India’s Biggest Data Trade to Hackers

Rakesh Krishnan
8 min readOct 8, 2024

--

We often hear that the danger lies within. Rather than focusing on External Threats, it is important to keep a tab on your internal network to thwart any chances of attacks.

As data became the new oil, data trade has gained much attention on every front. As the data is vital in today’s world, it is being shared among various organizations (both with/without your consent). This marks your digital presence more than you think. Your digital persona shall be shared and as a result, you will be flooded with messages/prompts that may be of interest.

Here unfolding the story of Insider Threat, who shared Indian Customer Health Records with a hacker in exchange for a handsome ransom!

When Managers get possessed with Devil | Credit: Self-Gen

On September 22, 2024; a data breach about Star Health Life Insurance surfaced on the Breach Forum which claimed about 31M Customers and 7TB Data, along with few a sample data to provide the genuinity of the claim.

Post from Xenzen on the Forum

After going through the data, it was found that the data was legit and was available via 2 Telegram Channels named StarHealthLeak_CustomerData_Bot and StarHealthLeak_ClaimsData_Bot to get samples, which were later removed.

NOTE: Xenzen is notably claimed to have breached Airtel, Ministry of External Affairs Passport Data previously.

INTELLIGENCE GATHERING

>>Identified a new Domain: starhealthleak.com which was registered on August 23, 2024.
>>IP Address: 104.21.31.83 and 172.67.175.124
>>Initially hosted with Sharktech (Cloud Hosting), then switched to Cloudflare.

TURNING POINT

As the website is not available at the moment, however, I have managed to uncover an incident which is a critical moment for the Investigation of this case.

Website: starhealthleak.com

I found video evidence where the hacker had blamed the insider trader for having disconnected the access to the 2nd API (Claims Data) via his Chat Transcript with the insider trader.

Hacker’s Claim on the Leak Source

Now, I would brief the events to get a holistic view.

NOTE: The domain is currently offline, but there is an alternate domain: StarHealthLeak.st

EVENTS IN A NUTSHELL (Video Recording)

6th July 2024: At 1:15 PM UTC (6:45 PM IST), an employee from Star Health Insurance, which is headquartered in Chennai; initiated a conversation from a pseudonym “mc6” with the hacker “xenzen” on a private messenger platform TOX, offering data of “Major Health Insurance Provider” data of Indians.

TOX Chat Transcript: 1

The data includes sensitive information such as PAN, Residential Address, Aadhaar, Medical Insurance Records, etc.

7th July, 2024: At 11:30 UTC (5 PM IST) Enquires about how much can the hacker pay for the data. xenzen replied with “$15K in XMR”. But mc6 demands $35K, in exchange for Portal Access. Finally, both agreed on $28K in XMR. mc6 agreed to create a test account (which is valid for 1 day) for Hacker. The conversation lasted till 14:20 UTC (7:50 PM) the same day.

TOX Chat Transcript: 2

mc6 passed the sensitive credentials to xenzen from an email account amarjeet@starhealth.in to bcpsath@proton.me

Login:https://atom.starhealth.in/login
Username: BA0000439705
Password: Raj@55011
Email Communication between mc6 and xenzen

8th July, 2024: mc6 provided his XMR Address to xenzen at 7:20UTC (12:50PM IST)

XMR Address
84brKgFHpk7eoP7GWHwtcZgaX2vPR4EUP2wiknuoG6KccogQGv689wtQGgGPJTYHqPeEZrvVAh93CK5vxk7rwiq1sXDax4
TOX Chat Transcript: 3

As mc6 is not familiar with XMR (Monero) Currency, he asks his doubts about cashing out via BTC. Xenzen instructs to convert to BTC using no-KYC Exchanges.

mc6 received the payment of $28K in XMR by 7:56UTC (1:26 PM IST). Upon receiving it, mc6 promises to make the account accessible for a longer time. mc6 advises to prefer Indian VPS for a faster download.

20th July 2024: xenzen asks for any data about medical health checkups, which needs to be linked directly to the patient via Government ID or Photos. mc6 replies by selling their 2nd database which includes records of Insurance Claims and rejected applicants’ data. xenzen gets excited and mc6 replies by promising access on Monday (22nd July 2024).

22nd July, 2024: xenzen pays about $15K at 13:45 UTC (7:15 PM) as the first deal got smoothen. mc6 gets access to 2nd Database credentials for the hacker.

spp.starhealth.in
Username: sanjay131076@gmail.com
Pass: OMKAR@0707
TOX Chat Transcript: 4

25th July 2024: Access revoked of Insurance Claim (2nd Database) by mc6. While asking the access back, mc6 replied that 5TB of data had already been taken by xenzen and demanded $150K to continue the API access, as mc6 claims the portion of this ransom to be gone to senior management.

Email Communication: 2

Following…

Email Communication: 3

The conversation ended and xenzen never heard back from mc6.

Email Communication: 4

INCIDENT ANALYSIS

>While observing the timeline, it was found that the Insider Trader had contacted the hacker after general Office Hours.
>As the payment was nearing, the trader used Lunch Time to communicate with the hacker.
>The Trader had attempted to use the full name “Amarjeet Khanuja” from an email address: amarjeet@starhealth.in
>This could be Impersonation Attack, as the insider had used the persona of the current CISO of the company.
>Anyone who is in charge of the IT Department (who has access to Database APIs and Email ID Creation) could have easily mimicked CISO.
>This is a tactical approach adopted by the Insider trader who takes a double cover — Hacker and an Impersonated Account to mask his/her identity.
>In total, the trader had made about $43K in XMR (35 Lakhs).
>It took 12 days for the hacker to exfiltrate data from the first API Access Server, which indicates the server is slow.
>The insider trader does not sound technically sound as Escrow and XMR were new concepts for him/her.
>The insider trader also claims the involvement of Senior Management, which could be a smart move to victimize them (even if they are not aware), which entirely tarnishes the company’s reputation.

COMPANY’S RESPONSE: TURNING THEIR BACK ON “INSIDER THREAT”

The company does not pay attention to the Insider Breach, however focusing more on the data which got posted on Forum and Telegram Channels.

On Thursday (26th September, 2024); the company declared to sue Telegram and CloudFlare.

Headline about the incident | Source: NDTV

The Content Moderation Policy of Telegram has been questioned multiple times, as recently CEO Pavel Durov facing charges against serious crimes such as Pedophilia content being shared on various Telegram Channels. Hence, it became a hotbed for CSAM and other nefarious activities.

Cloudflare is the prime selection for Cyber Criminals to hide their identities. Many Ransomware Operators and malware use this service to conceal their real IPs, which is a legitimate right that comes under the Right to Privacy.

On 29th September, Cloudflare denied their allegation of hosting hacker’s website as they are just a pass-through to the original service provider.

DATA DOES NOT GET TAKEDOWN — IT JUST RESURFACES!

The data breaches that appear on the Dark Web or Deep Web does not get taken down completely. When one source gets taken down, another one sprouts (sometimes after a few months/years).

Here is one such example of Star Health Data Leak:-

On September 24, the same leak appeared on other Telegram Channels such as:-

Telegram Post on same data from different Source

This account offers hosted the sample data in another cloud — Proton Drive:-

Star Health Insurance Sample shared

By analyzing the sample data leak, it can be observed that, unlike the first dataset which was disorganized, this hacker managed to clean the data and present it in an organized manner for future sales.

NOTE: It is not yet confirmed whether this is a scammer or a real data broker.

This is a common scenario in various Forums and Telegram Channels as it is a common platform among scammers to defraud.

Here is another scenario where the older data leaks gets resurfaced after months:-

Another Data Breach focusing on Indian PII

This dataset is the combination of various leaks that happened at different time intervals such as: Dunzo, RailYatri, Ixigo, boAt, BigBasket, Aditya Birla Fashions, and many more.

MY TAKE ON THE STAR HEALTH INSURANCE DATA BREACH

Star Health Insurance is suspected to be an Insider Breach as there is enough evidence to prove it such as Email Communication, Corporate Credentials, Office Work Hours Timeline Analysis with the Hacker, etc.

But this angle is being overshadowed by the Leaks that appeared on a Telegram Bot and the announcement of this leak on a forum.

The insider breach claim from hacker is neither accepted nor denied by the company.

Moreover, the focus again got shifted to press charges against Telegram and CloudFlare services, which is absurd.

All these development in the story strongly points to the negligence of Insider Threat.

Either the top management is involved as per the communication chat (or may be not) with the hacker or the company does not want to get self-trapped in the first place due to the leak, which ultimately blocks the chances of obtaining any Cyber Insurance Funds Approval (if they are cyber attack insured).

As per the DPDP Bill of 2023, companies could face penalty charges that range from ₹50 to ₹250 crore for each instance of a data breach.

COMBATING INSIDER BREACH

The insider threat can only be combated with the continuous monitoring of sensitive services/endpoints for any possible external/internal threats.

Employing MFA also helps to safeguard sensitive data. All companies should be equipped with Deception Technology which provides an early detection and mitigation of the Data Breach.

Honeypots or Decoy data are being supplied as a form of Deceptive mechanism to detect the mole or insider at the beginning stage of the Attack Chain.

Regular audit also contributes to assessing the security posture of the company.

Next time, when 🫵come across any Data Breach, check for the Insider Breach angle, before running behind the hacker!

Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

--

--

Rakesh Krishnan

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.