Annexure-I
Explanation for Types of Cyber Security
Incidents to be Reported to CERT-In
i. Targeted scanning/probing of critical networks/systems
Targeted network scanning/probing refers to the action of gathering information
regarding critical computing systems and networks, thus, impacting the confidentiality
of the systems. It is used by adversaries to identify available network hosts, services and
applications, presence of security devices as well as known vulnerabilities to plan attack
strategies.
ii. Compromise of critical systems/information
Gaining control of computer resource without permission typically through exploitation
of a vulnerabilities. Attack methods for compromise may include “shoulder surfing”,
“social engineering”, “exploitation of software vulnerability”, “sophisticated malware”
etc.
Compromise of critical systems/information may impact all core aspects of cyber
security viz. confidentiality, integrity and availability.
iii. Unauthorised access of IT systems/data
Accessing systems / data without authorisation thereby impacting the confidentiality of
the system. This incident may involve compromising the systems, poor security
controls, weak credentials and /or privilege escalation etc.
iv. Defacement of website or intrusion into a website and unauthorised changes
such as inserting malicious code, links to external websites etc.
Defacement typically refers to website compromise with the intention to alter the
appearance of a webpage. Some defacement attacks involve inserting new web-pages as
well. Such attack primarily affects the integrity of the website.
A more sinister form of website compromise involves insertion of malicious script/code,
links to external websites for the purpose of spreading malware. This attack typically
does not result in any visible change on the website appearance, thus, harder to detect
and prevent.
16 May 2022
�v. Malicious code attacks such as spreading of Virus/Worm/Trojan/Bots/
Spyware/Ransomware/Cryptominers
Malicious code or malware is software designed to infiltrate or damage a computer
system without the owner’s informed consent. Malicious code is hostile, intrusive, or
annoying software or program code and could impact confidentiality, integrity as well
as availability of the system.
Virus: A computer virus replicates itself by modifying other computer programs and
inserting its own code. It is not standalone program and attaches to another system
processes/program/documents.
Worm: A computer worm is a standalone malware computer program that replicates
itself in order to spread to other computers.
Trojan: Trojan horse is any malware that misleads users of its true intent.
Bots: A bot, short for "robot", is a type of malware that performs automated tasks on
commands from malicious actors.
Spyware: Spyware is software with malicious behaviour that aims to gather
information about a person or organization and send it to another entity.
Ransomware: a type of malicious software designed to block access to a computer
system, commonly by encrypting the files on the system, until a sum of money is paid.
Cryptominers: malicious code designed to hijack idle processing power of a victim's
device and use it to mine cryptocurrency.
vi. Attack on servers such as Database, Mail and DNS and network devices such as
Routers
DNS Hijacking is modification of DNS records with intention to redirecting the victim
to malicious domains/IPs. DNS Cache Poisoning involves corrupting the DNS server’s
cache with fake values causing the name server to return incorrect result thereby
redirecting the victim to malicious domains/IPs. Routers are the traffic controllers of the
Internet and ensure flow of information from source to destination. Routing disruption
could lead to massive routing errors resulting in disruption of Internet communications.
May 2022 17
�Compromise of Mail / Database servers impacts all core aspects of cyber security viz.
confidentiality, integrity and availability.
vii. Identity Theft, spoofing and phishing attacks
Identity theft is the crime of obtaining the personal or financial information of another
person to use their identity to commit fraud.
Spoofing is a technique used to conduct Identity theft in which one person or program
successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.
Phishing is an attack aimed at stealing sensitive personal data that can lead to
committing online frauds. Phishing is also used to gain access to user’s credentials for
espionage. Such incidents primarily targets confidentiality aspect of the system and/or
user.
viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Denial of Service (DoS) attack is an attempt to make a computer resource unavailable to
intended users.
Distributed Denial of Service (DDoS) attacks occurs when multiple
compromised/misconfigured computer systems flood the communication link (a.k.a.
bandwidth) or resources (CPU, memory) of a targeted system.
ix. Attacks on Critical infrastructure, SCADA and operational technology systems
and Wireless networks
SCADA systems are used for monitoring, and remotely controlling, geographically
widely distributed processes from a centralised location. They have been incorporated
for operational purposes in most of the critical infrastructure.
Sophisticated malware are used by threat actors to target SCADA systems. The effect of
these attacks can range from espionage to cause disruption of essential services.
This type of incidents impacts all core aspects of cyber security viz. confidentiality,
integrity and availability.
18 May 2022
�x. Attacks on Application such as E-Governance, E-Commerce etc.
Software code of the Applications is often affected by application vulnerabilities like
SQL Injection, Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF) etc.
Attackers leverage these vulnerabilities to target important infrastructure like
E-Governance, E-Commerce infrastructure etc. Such cyber-attacks on E-Governance
and E-Commerce applications may cause adverse impact on availability of services,
impair confidentiality and integrity of data/information.
xi. Data Breach
A Data Breach is a cyber-incident where information is stolen or taken from a system
without the knowledge or authorization of the system's owner. Stolen data may involve
sensitive, proprietary, or confidential information such as credit card numbers, customer
data, trade secrets, or theft of Intellectual property etc. Most data breaches are caused
due to un-plugged vulnerabilities, hacking or malware attacks.
Data Breaches primarily results in loss of confidentiality of the information.
xii. Data Leak
Data Leak is the release of sensitive, confidential or protected data to an untrusted
environment. Data Leaks can be used by threat actors for malicious activities and can be
due to accidental causes such as lack of proper safeguards to protect data, improper
configuration, user error, backdoors, vulnerabilities etc.
Similar to Data Breach, Data Leak also results in loss of confidentiality of the
information.
xiii. Attacks on Internet of Things (IoT) devices and associated systems, networks,
software, servers
Attacks targeting IoT devices such as cameras, routers, DVRs and wearables are
increasing. The compromise of these devices further acts as an intrusion point for
attackers to gain access to internal network of the organisation leading to disruption of
services, data theft, possible espionage amongst others. IoT devices have also been
targeted for creating botnets such as Mirai etc.
This type of incidents impacts all core aspects of cyber security viz. confidentiality,
integrity and availability.
May 2022 19
�xiv. Attacks or incident affecting Digital Payment systems
The rise of Digital payment landscape is coupled with increasing cyber-incidents and
attacks on digital payment infrastructure. Attackers target Digital payment instruments;
IT infrastructure of financial institutions, depositors; SWIFT network, ATM switch
using a variety of attack techniques such as vulnerability exploitation, sophisticated
malwares etc.
This leads to financial and customer data breach, financial frauds, decline in user trust
and confidence in digital ecosystem and loss of reputation of the organisation.
Attacks or incident on Digital Payment systems target confidentiality and/or integrity of
the systems and data however serious incidents also often results in non-availability of
systems.
xv. Attacks through Malicious mobile Apps
With the Smart Phones becoming primary computing devices for consumers as well as
their increasing use in the corporate world, smart phones have become lucrative target
for compromise through the mobile apps available in the mobile app stores.
Malicious mobile Apps typically target confidentiality of the data stored and processed
on the mobile.
xvi. Fake mobile Apps
Fake apps are apps created by cybercriminals to cause harm to users and their devices.
They are designed to resemble legitimate apps but instead carry out malicious activities.
Fake Apps fall into two broad categories: Counterfeits (fake apps that imitate a real one)
and Repackages (taking an existing app and repackaging it – for example, for showing
ads or for inserting malicious code). Both types are also available in the mobile app
stores.
Fake mobile Apps primarily target confidentiality of the data stored and processed on
the mobile.
20 May 2022
�xvii. Unauthorised access to social media accounts
Unauthorized access to social media accounts is when a malicious user gains access to
someone else's social media account without their consent or knowledge. An attacker
may use a variety of techniques to gain credentials of victims’ social media account
including phishing, Key Loggers, Man-In-The-Middle attack (MITM), Social
Engineering, Session Hijacking, Saved Passwords in browser password manager etc.
Unauthorised access to social media accounts of legitimate organisations may result in
propagation of fraudulent messages and could impact confidentiality, integrity as well
as availability of the affected accounts.
xviii. Attacks or malicious/suspicious activities affecting Cloud computing
systems/servers/software/applications
As is the case with conventional computing, cloud is also accompanied by
vulnerabilities to targeted attack by malicious actors. The vulnerabilities include Cloud
API vulnerabilities, weak cryptography, exposed data repositories and unauthorised
access to victims’ cloud credentials.
This type of incidents impacts all core aspects of cyber security viz. confidentiality,
integrity and availability.
xix. Attacks or malicious/suspicious activities affecting systems/servers/networks/
software/applications related to Big Data, Block chain, virtual assets, virtual asset
exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive
manufacturing, Drones
Development of technology in the field of Big Data, Block chain, virtual asset
exchange, custodian wallets etc. have given rise to new cyber security challenges.
Emerging technologies are being increasingly adopted by businesses thereby increasing
the dependency of business on cyber space and increasing attack surface and evolving
threat landscape. Each of the abovementioned areas are highly specialised and have
their own risks and threats if reasonable security practices are not followed.
These type of incidents impacts all core aspects of cyber security viz. confidentiality,
integrity and availability.
May 2022 21
�xx. Attacks or malicious/suspicious activities affecting systems/servers/software/
applications related to Artificial Intelligence and Machine Learning
Attacks that target Machine Learning models with the intention to cause a malfunction
are a growing threat. The attacks employs various techniques such as deceptive data,
environment manipulation etc. to corrupt the model and cause the model to behave
erroneously.
This type of incident could have impact on confidentiality, integrity and availability of
the affected system.
22 May 2022
