NEW DELHI: The notorious ransomware group known as Bashe has claimed responsibility for a breach of ICICI Bank’s database, one of India’s most prominent banking institutions. Reports circulating on the dark web indicate that the hackers have imposed a ransom deadline of January 24, 2025, threatening to release sensitive customer data should their demands not be met. Accompanying this claim was a warning emphasizing that failure to comply will lead to public exposure of the stolen information.
The hacking collective Bashe has gained notoriety for targeting high-value organizations and has allegedly acquired confidential data from ICICI Bank. Although the bank has not yet made any formal acknowledgment of the breach, discussions about it are proliferating across forums frequented by cybercriminals online. In a disturbing sign of their intent, the attackers featured a countdown timer leading to the ransom deadline, alongside an option for the bank to “purchase the data immediately.”
Bashe, which surfaced in April 2024, is linked to LockBit, a prominent group in the realm of cyber extortion. This collective has made its presence felt by targeting sectors such as finance, healthcare, logistics, and technology across numerous countries, including India, the United States, and many European nations. Employing advanced tactics and operating from a Tor-based infrastructure believed to be housed in the Czech Republic, Bashe maintains a veil of anonymity, making it difficult for law enforcement to trace their activities. Their tactics appear highly organized, capitalizing on threats of exposure to maximize ransom demands.
Historically, this is not Bashe’s first incursion into the Indian banking sector. In December 2024, the group claimed to have breached Federal Bank, reportedly accessing a database with over 630,000 entries. Such incidents underscore the increasing vulnerability of financial institutions to ransomware attacks. With ICICI Bank now purportedly in their sights, the threat level posed by Bashe continues to escalate, pinpointing the heightened risks confronting the global banking infrastructure.
Despite these serious allegations, ICICI Bank has not provided any official comments regarding the breach. Previous instances of similar claims against the institution have occurred; notably, in April 2023, an investigation by Cybernews indicated that ICICI Bank had leaked sensitive customer data due to a system misconfiguration, which the bank denied. Given that the Indian government designated ICICI Bank’s operations as "critical information infrastructure" in 2022, any breach could have significant implications for national security.
As cybercriminals increasingly target institutions like ICICI Bank, the potential fallout from a successful breach raises concerns about sensitive customer data exposure, reputational damage, and erosion of consumer trust. The implications are profound for a bank servicing millions of customers with complex digital infrastructures, making it a prime target for malicious actors.
The current landscape is further complicated by the association between Bashe and LockBit, a group known for its involvement in high-profile cyberattacks. This relationship accentuates the urgency for a coordinated multi-faceted approach from organizations, especially in the banking sector, to bolster their defenses and prepare for potential cyber threats.
In analyzing the potential tactics used in this breach, one can draw upon the MITRE ATT&CK framework. The attack could involve tactics such as initial access, where attackers gain entry through phishing or exploiting vulnerabilities, followed by privilege escalation, where they acquire higher-level permissions to access sensitive data. Persistence techniques may also have been employed to ensure continued access to the compromised systems. The context of this breach serves as a critical reminder of the risks faced by financial institutions and the need for enhanced cybersecurity measures in the face of evolving threats.
It is crucial to note that ICICI Bank has not publicly acknowledged any breach at this point. Therefore, this information stems solely from findings reported on dark web research, reflecting the complex nature of cybersecurity threats in today’s digital landscape.
