Security analysts and war historians often cite that the next world war will be fought not on land, in the air or underwater, but virtually in the cyber world. China has for decades been a sworn enemy of countries like the United States and Europe. Chinese hackers have also entered Indian cyberspace a lot lately.
Since the border skirmishes between India and China in May 2020, Chinese hacker groups have regularly targeted Indian public sector companies and technical establishments via cybersecurity loopholes.
Shortly after the clash in the Galwan Valley, a group of Chinese hackers known as RedEcho attempted to target India’s power grids and seaports. The RedEcho group is said to be part of the Chinese military intelligence unit based in Urumqi, in northwest China.
In particular, the hackers attempted to breach the security of regional power distribution centers in central India, responsible for operating the power grid by balancing the supply and demand for electricity.
The main reasons for carrying out such activity will be to spy or carry out espionage activities and use it for future escalations if the two countries were to have another confrontation.
Now, a report by the U.S.-based Insikt Group, made up of a team of seasoned threat researchers who support intelligence analysts, engineers, and data scientists who perform cybersecurity and intelligence analysis, states that hackers with their origins in China have launched a series of cyber attacks against prominent Indian targets including Bennett Coleman And Co Ltd (BCCL) of The Times Group and the UIDAI (Unique Identification Authority of India) and the Police Department of Madhya Pradesh to name a few.
INTRUSION OF THE BCCL NETWORK
The method of targeting international media has been a long-standing practice for Chinese-based hacking groups. Historically, news agencies such as the New York Times, Washington Post and Bloomberg News have been targeted and hacked when they perceive that some of the articles published by these networks show China in a “not so fair” way. .
Subsequently, the Hong Kong protests also saw several targeted news networks. Now the Insikt group report states that several cyber intrusions were carried out by a group temporarily named “TAG-28” on the BCCL although the same has not yet been confirmed by the Times group.
BCCL, commonly referred to as “The Times Group”, is a private Mumbai-based company that publishes The Times of India. BCCL operates in several media, including publishing, television, Internet and radio.
The Insikt group reveals that between February and August 2021, four IPs (internet protocol) assigned to BCCL were identified as being in sustained and substantial network communication with two Winnti C2 servers (belonging to the hacker group) and a third probably belonging to the Cobalt Strike C2 group which is a specification that allows third-party programs to act as a communication layer for the Cobalt Strike Beacon payload.
Winnti is malware that has been used by Chinese cybercrime and cyber espionage threat actors since 2009. The beacon primarily assists in unauthorized execution of PowerShell scripts, logging keystrokes, taking screenshots, downloading files and generating other payloads.
Although there is no possible confirmation of the type of data being viewed, reports indicate that files with an approximate value of 500MB of data have been exfiltrated from the BCCL network to the intruders. The Insikt team was able to claim the intrusion of the BCCL network thanks to the identification of the registered IP addresses of the BCCL which were the subject of targeted intrusions.
They were also able to identify several domain names from the BCCL network that were associated with the targeted IP addresses. One of the IP addresses served an SSL certificate as “* .timesnetwork[.]in.”.
The group says a possible motivator for the hackers would have been access to journalists and their sources as well as pre-publication content of potentially damaging articles focused on China or its leadership.
The report reveals that these intrusions coincided with the publication of two specific articles that discussed the Indian Navy’s mega exercise in the Indian Ocean on February 10 and the failed link between China, Pakistan and Turkey on the 11th. February.
INTRUSION OF THE UIDAI NETWORK
The Insikt report talks about the alleged compromise of the UIDAI database between July 10 and July 20 of this year. UIDAI is the Indian government agency responsible for the Aadhaar National Identification Database. It contains private, identifying and biometric information for over one billion Indian citizens.
Two IP addresses registered with the UIDAI were observed communicating with the same suspected Cobalt Strike C2 server used to target BCCL. Unlike the case of the BCCL intrusion, here less than 10MB of data was exfiltrated from the UIDAI database, but more importantly, 30MB of data was ingested, indicating a possible deployment of additional malicious tools from of the attacker’s infrastructure.
Although the Aadhaar database and platform has seen a lot of controversy in the past regarding data breaches, hacks and security breaches, it still remains a huge critical source of PII (Personally Identifiable Information) from citizens. Indians.
The TAG-28 group likely targeted the UIDAI because of its ownership of the Aadhaar database. Large PII datasets are valuable to both nation states and criminal threat actors for multiple purposes, including potentially identifying high-value intelligence targets such as government officials, enabling surveillance , carry out social engineering attacks or enrich other data sources.
UIDAI told The Associated Press it was not aware of a “violation of the nature described.”
“UIDAI has a well-designed, robust, multi-layered security system and it is constantly being upgraded to maintain the highest level of security and data integrity,” the agency said.
INTRUSION OF THE MADHYA PRADESH POLICE NETWORK
One of the Madhya Pradesh Police Group IP addresses was communicating with TAG-28’s Winnti C2 IP address on June 1, 2021. This IP address serves a State Crime Records Bureau (SCRB) website (scrbofficial.mppolice. gov[.]
These communications resumed between July 27 and August 9 of this year resulting in a transfer of less than 5MB between the two IPs. Nothing more is known for the moment on why this was done or on the files exchanged.
The Insikt Group strongly believes that the TAG-28 is a Chinese state sponsored threat activity group tasked with gathering intelligence on Indian targets. Their attribution to China is based on their use of the Winnti malware, which is exclusively shared among several Chinese state-sponsored activity groups, and their targeting of at least three separate Indian organizations in this campaign.
Whether it is the BCCL intrusion or, more importantly, the intrusions into the UIDAI and Madhya Pradesh police network, these are serious cases of computer security breaches and the Indian government and tech companies (which are in charge of building and maintaining these networks) should take it more seriously.
The intrusion into systems such as the UIDAI, which owns the fingerprints, retinal scans and photographs of nearly 89% of the Indian population, is a brilliant training data set to improve recognition machines and algorithms. facial and artificial intelligence from China. Such real databases are best suited for training AI (artificial intelligence) algorithms and machine learning platforms.
Besides the criticality of PIIs, data breaches in UIDAI or Aadhaar databases can pose very high security concerns to individuals and their personal bank accounts and other functions can be hacked with PII.
This Insikt Group report highlights China’s continued strategic and tactical interest in India-based organizations, both in the private and public sectors. The 2020 border skirmishes and subsequent economic sanctions imposed by the Indian government banning Chinese mobile apps from the Indian market have increased tensions between the two countries.
Access and understanding of Indian government departments and organizations will therefore likely remain of primary interest to Chinese state sponsored actors for the foreseeable future, as cyber operations play a key role in gathering intelligence on the technology. military or national security issues, in addition to political issues. and the evolution of external relations.
The most important thing to worry about is the cybersecurity readiness of India and Indian companies. Several China-based hacking groups have stopped using tools like Winnti and Cobalt to tackle newer technologies like Shadowpad and other malware families.
But the aforementioned intrusions were carried out using the Winnti and Cobalt strike rigs. Indian networks were not protected against such cyber threat tools. India needs to be ahead of the curve when it comes to protecting data in the cloud, both private and public.
It is a fact that the Indian government recorded 1.16 million cybersecurity-related incidents in 2020 alone, a peak three times that of 2019. In 2021, India has already seen numerous hacks. high profile citizen data, including the personal data leak of 4.5 million airline passengers.
CREATION OF A CYBER DEFENSE AGENCY
The Indian government recently approved the creation of the Defense Cyber Agency, under the Ministry of Defense. This agency will work to mitigate cyberthreats in the three armed services (Indian army, navy and air force) as well as the establishment of cybersecurity emergency response teams ( CERT).
These initiatives are mainly aimed at protecting the armed forces from any type of cyberattack or intrusion, especially during border escalation. In the past, reports have indicated that China may consider destabilizing the Indian armed forces through cyber attacks in the event that war breaks out.
The Indian Computer Emergency Response Team (CERT-In) reported around 6 lakh of cybersecurity incidents during the first half of 2021. This accelerated the formulation of the national cybersecurity strategy, which is in progress. final approval phase.
India will be well placed to specifically protect its public sector companies such as power plants from cybersecurity intrusions like the ones mentioned above to protect its domestic facilities and be ready for the future that is so heavily invested in cyber warfare. .