BEML, Indian Defence Contractor, Suffers Data Breach. Politically Motivated?

Update 21/06 – An actor with the alias ‘specter05′ has claimed the responsibility of the BEML leak in an email sent to Cyble team. The actor mentioned to Cyble – “To put it simply I was the one behind the leak”. The actor further claimed to be an activist and added – “I have leaked other things some of which have been covered in the past by other news sites. I have more sensitive data regarding other governments that I will leak after a certain amount of time so be ready”

Update: Cyble researchers have received further clarification from ‘R3dr0x’ directly, that it wasn’t responsible for this leak as such. The leak was made by an unknown party.

As part of our regular deepweb and darkweb sweeps, we came across an unknown actor (R3dr0x ) in one of the darkweb markets who leaked Bharat Earth Movers Limited (BEML) internal documents (as below). The leak appears to have occurred in May 2020 – quite recent. The actual leak was published on May 25.

Founded in the year 1964 from then BEML has been manufacturing a wide range of products to meet the needs of mining, construction, power, irrigation, fertiliser, cement, steel, and rail sectors. The earthmoving equipment includes bulldozers, dump trucks, hydraulic excavators, wheel loaders, rope shovels, walking draglines, motor graders and scrapers. BEML has manufacturing plants in Kolar Gold Fields, Bengaluru, Mysore and Palakkad. It has numerous regional offices throughout the country. KGF unit is the main unit accounting for the manufacture and assembly of a wide array of earth-moving equipment such as bulldozers and excavators. Rail coaches are made in the Bangalore complex, and the Mysore facility makes dump trucks and engines of various capacities.

As per our research team, the actor R3dr0x (seem to be a Pakistan actor) has targeted the part of the BEML website detailing about their Indigenisation Levels, which seem to be a warning for the extremist government of Indian that they would face in the near future for their actions.

The Cyble Research Team has identified the actor not only leaking the sensitive data files which were been downloaded from 7 email accounts of BEML employees but have also leaked a text file detailing those 7 BEML employee’s internal email addresses and their login passwords. The data leak includes multiple BEML’s email conversations, customer’s detailed records, multiple interoffice memos, freight invoices, and much more. Below are few snapshots of the leaked records from the large lot.

Leaked files
Internal Memo
List of 7 email addresses and their login passwords.
Customer’s data
Shipping or freight invoice

Conclusion: Based on the leak itself, it appears to be an act of a hacktivist or politically motivated. At this point, we have no technical evidence suggesting that the attack originated from a neighbouring or non-friendly country; however, the circumstantial pieces (actor’s message, password combinations) suggests it to be the likely the case.

We recommend people to:

  • Never share personal information, including financial information over the phone, email or SMSs
  • Use strong passwords and enforce multi-factor authentication where possible
  • Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
  • Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
  • Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile
  • People who are concerned about their exposure in darkweb can register at to ascertain their exposure.

About Cyble:

Cyble is a US-based cyber threat intelligence company with the express mission to provide organizations with real-time views of their supply chain cyber threats and risks.

Scroll to Top