NEW DELHI: An elaborate operation involving multiple agencies has been launched to track down the sender of the email to schools in Delhi-NCR which turned out to be a hoax. With the sender having used an email ID of Russian origin, Delhi Police is writing to VK, the parent firm which owns the email service,via Interpol.
The probe has been handed over to the counter-intelligence unit of Delhi Police which has advanced email analysis software and systems.The unit is working with several agencies, including Indian Cybercrime Coordination Centre (i4C), to investigate the matter. The investigators suspect the real address to have been suppressed in multiple layers of encryption and will use advanced “unmasking programmes” to identify the sender, said an officer.
The sender has used the Russian free email service, ‘mail.ru’, which was recently targeted by the IT wing of Ukraine’s army, leading the service to be shut down. However, the mail could have been sent from anywhere using VPN and darknet. Though mischief by an individual or a group of present and former students, who may have used IP masking techniques, is one of the lines of probe being followed, the agencies are exploring other angles too. The role of a hacker group is also being examined.
The initial technical analysis of the IP address of the email ID — Sawariim@mail.ru — used by the sender reveals that it was masked using a virtual private network and proxy servers. Cyber experts managed to fish out two addresses but then hit a dead end. “One was A05651C1686*****EFC1 and the other was 66.70.xxx.5xx. But these could just be smokescreens erected by the sender. We can be certain only after we get some authentic details from the originating server,” said a cyber expert who didn’t wish to be named.
The investigation is not focused only on tracing the sender through technical means but also on the content of the email. The content is puzzling as it quotes random Islamic verses and the sender’s name, Sawarim, also seems to be stemming from a Nasheed (propaganda song) made by Islamic State which discusses bloodshed and war, which finds an echo in the mail.
The large number of schools targeted has made the police think that there was proper planning that required obtaining the email addresses of so many schools. This list could have been either procured on dark web or obtained through crawlers from open-source data available on the web, said a cyber cell officer.
The cops are also looking into a similar hoax email that was sent to a children’s hospital in Shahdara on Tuesday. The analysis of the sender’s ID gave out around 20 IP addresses and showed the location to be places like US, South Korea, Netherlands, Luxembourg and other places. A similar threat was made to the airport on Monday. In both incidents, the same email ID was used.
“An email was received at 9.37am on feedback.iGIAirport@gmrgroup.in from 666darktriad666@gamil.com and the sender claimed to have placed three explosive devices on a few aeroplanes and at airport which would detonate in a few hours. The sender claimed that a group named Terrorizers111 was behind this,” reads the FIR lodged by the airport police. The cops are probing if the same sender was involved in Wednesday’s incidents as well.
The probe has been handed over to the counter-intelligence unit of Delhi Police which has advanced email analysis software and systems.The unit is working with several agencies, including Indian Cybercrime Coordination Centre (i4C), to investigate the matter. The investigators suspect the real address to have been suppressed in multiple layers of encryption and will use advanced “unmasking programmes” to identify the sender, said an officer.
The sender has used the Russian free email service, ‘mail.ru’, which was recently targeted by the IT wing of Ukraine’s army, leading the service to be shut down. However, the mail could have been sent from anywhere using VPN and darknet. Though mischief by an individual or a group of present and former students, who may have used IP masking techniques, is one of the lines of probe being followed, the agencies are exploring other angles too. The role of a hacker group is also being examined.
The initial technical analysis of the IP address of the email ID — Sawariim@mail.ru — used by the sender reveals that it was masked using a virtual private network and proxy servers. Cyber experts managed to fish out two addresses but then hit a dead end. “One was A05651C1686*****EFC1 and the other was 66.70.xxx.5xx. But these could just be smokescreens erected by the sender. We can be certain only after we get some authentic details from the originating server,” said a cyber expert who didn’t wish to be named.
The investigation is not focused only on tracing the sender through technical means but also on the content of the email. The content is puzzling as it quotes random Islamic verses and the sender’s name, Sawarim, also seems to be stemming from a Nasheed (propaganda song) made by Islamic State which discusses bloodshed and war, which finds an echo in the mail.
The large number of schools targeted has made the police think that there was proper planning that required obtaining the email addresses of so many schools. This list could have been either procured on dark web or obtained through crawlers from open-source data available on the web, said a cyber cell officer.
The cops are also looking into a similar hoax email that was sent to a children’s hospital in Shahdara on Tuesday. The analysis of the sender’s ID gave out around 20 IP addresses and showed the location to be places like US, South Korea, Netherlands, Luxembourg and other places. A similar threat was made to the airport on Monday. In both incidents, the same email ID was used.
“An email was received at 9.37am on feedback.iGIAirport@gmrgroup.in from 666darktriad666@gamil.com and the sender claimed to have placed three explosive devices on a few aeroplanes and at airport which would detonate in a few hours. The sender claimed that a group named Terrorizers111 was behind this,” reads the FIR lodged by the airport police. The cops are probing if the same sender was involved in Wednesday’s incidents as well.