A massive security breach has exposed classified defence data, including engineering designs of a weapon system, details of a new Air Force facility, procurement plan, and India's strategic collaborations with other nations. The data, allegedly stolen by a hacker group, has been put up for sale, raising serious national security concerns.

Hacker Group Claims Responsibility

The ransomware group Babuk Locker 2.0 announced on March 10, 2025, that it had exfiltrated 20 terabytes of data from the Defence Research and Development Organisation (DRDO). The leaked information, which the group claimed to have obtained from DRDO’s systems, reportedly includes classified defence documents and a repository of credential logs. A sample of 753 MB from the leak was publicly released.

However, DRDO officials denied any breach within their organisation, asserting that the leaked data did not originate from their systems. They refrained from providing further clarification about the incident.

Source of the Data Leak

An analysis conducted by cybersecurity firm Athenian Tech suggested that the stolen data appeared to have been extracted from the device of Puneet Agarwal, a former Defence Ministry official who served as Joint Secretary between 2019 and 2021. The compromised information includes his Aadhaar details, financial records, and personal travel documents, indicating that the breach did not occur within DRDO’s core IT infrastructure.

The leaked data also contained sensitive evacuation protocols for the President, Prime Minister, and other VVIPs in the event of an aerial attack, escalating the severity of the national security risk.

Extent of the Breach and International Links

Among the classified information in the leaked sample were details regarding the upgrade of the T9 Bhishma Tank and India’s defence partnerships with Finland, Brazil and the United States.

Screenshots of conversations between Athenian Tech and Babuk Locker 2.0 revealed that the hackers communicated in the Indonesian language, suggesting that they could be based in Indonesia. However, after further examination, Athenian Tech concluded that the hacker group might have exaggerated the scale of the breach.

Security Implications and Cyber Vulnerabilities

The exposure of such confidential defence files highlights major cybersecurity vulnerabilities within India’s critical defence infrastructure. The presence of highly classified information on a personal device raises concerns about endpoint security weaknesses, improper data handling policies, and potential insider threats.

Athenian Tech’s report emphasised the urgency of implementing stringent cybersecurity measures, stating, "The exposure of confidential defence files—even from a single system—highlights an urgent need for stringent cybersecurity measures, improved access controls and proactive monitoring to prevent further exposures of critical defence data."

If the hackers indeed accessed a credential repository, the security implications could be severe. Stolen credentials could be exploited to infiltrate additional systems, compromising even more sensitive defence data.