Security analysts and war historians often cite that the next world war will be fought not on the ground, or in the air or under water, but virtually in the cyber world. China for decades has been a nemesis for countries such as the USA and those in Europe. Of late, Chinese hackers have also been intruding a lot into the Indian cyber space.
Ever since the border skirmishes between India and China in May 2020, Chinese hacker groups have been regularly targeting Indian public sector companies and technical establishments via cyber security breaches.
Soon after the clash at the Galwan Valley, a Chinese hacker group known popularly as RedEcho tried targeting Indian power sector networks and seaports. The group RedEcho is allegedly part of the Chinese military intelligence unit based in Urumqi, in northwestern China.
In particular, the hackers tried to breach the security of regional power load dispatch centres across Central India responsible for operation of the power grid through balancing electricity supply and demand.
The key reasons to carry out such an activity will be to snoop or carry out espionage activities and use it for future escalations if the two countries were to have another faceoff.
Now, a report by the Insikt group based in the US, comprising of a team of veteran threat researchers that support intelligence analysts, engineers, and data scientists who carry out cyber security and intelligence analysis, states that hackers having their origins in China launched a series of cyber-attacks against high profile Indian targets including the Bennett Coleman And Co Ltd, (BCCL) of the Times Group and the UIDAI (Unique Identification Authority of India) and the Madhya Pradesh Police department to name a few.
INTRUSION OF THE BCCL NETWORK
The method of targeting international media outlets has been a long-standing practice for China-based hacking groups. Historically, news agencies such as the New York Times, the Washington Post and the Bloomberg News were targeted and hacked when they perceived that some of the articles published by these networks were showing China in a ‘not so right’ manner.
Subsequently, the Hong Kong protests also saw multiple news networks being targeted. Now, the report by Insikt group states that multiple cyber intrusions were carried out by a group temporarily named as “TAG-28” on the BCCL even though the same is yet to be confirmed by the Times group.
BCCL, commonly known as “The Times Group”, is a privately owned, Mumbai-headquartered company that publishes The Times of India. BCCL operates across multiple mediums, including publishing, television, internet and radio.
The Insikt group reveals that between February and August 2021, four IPs (internet protocol) assigned to BCCL was identified to be in sustained and substantial network communications with two Winnti C2 servers (belonging to the hacker group) and a third one probably belonging to the Cobalt strike C2 which is a specification to allow third-party programs to act as a communication layer for Cobalt Strike’s Beacon payload.
Winnti is a malware used by Chinese threat actors for cybercrime and cyber espionage since 2009.The beacon basically helps in unauthorised execution of PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawning other payloads.
While there is no possible confirmation on what kind of data was accessed, reports indicate that files approximately worth 500 MB of data were being exfiltrated from the BCCL network to the intrusions. The Insikt team were able to claim the intrusion of BCCL network thanks to identifying the registered IP addresses of the BCCL which were subjected to targeted intrusions.
They were also able to identify multiple domain names of the BCCL network which were associated with the targeted IP addresses. One of the IP addresses served an SSL certificate as “*.timesnetwork[.]in.”.
The group claims that a possible motivator for the hackers would have been access to journalists and their sources as well as pre-publication content of potentially damaging articles focusing on China or its leadership.
The report reveals that these intrusions coincided with the publishing of two specific stories which talked about Indian Navy’s mega exercise in Indian Ocean on February 10 and the failed nexus of China, Pakistan and Turkey on February 11.
INTRUSION OF UIDAI NETWORK
The Insikt report talks about the alleged compromise of the UIDAI database between July 10 and July 20 this year. The UIDAI is the Indian government agency responsible for the Aadhaar national identification database. It contains private, identifying, and biometric information for over 1 billion Indian citizens.
Two IP addresses registered to the UIDAI were observed communicating with the same suspected Cobalt Strike C2 server used to target BCCL. Unlike the case in the BCCL intrusion, here less than 10 MB size of data were exfiltrated from the UIDAI database, but more importantly, 30 MB of data was ingested pointing to possible deployment of additional malicious tooling from the attacker infrastructure.
While the Aadhaar database and platform have seen numerous controversies in the past with respect to data leaks, hacks, and security flaws, it still remains to be a huge chunk of critical source of PIIs (Personally Identifiable Information) of Indian citizens.
The TAG-28 group likely targeted the UIDAI due to its ownership of the Aadhaar database. Large PII data sets are valuable to both nation-state and criminal threat actors for multiple purposes, including for potentially identifying high-value intelligence targets such as government officials, enabling surveillance, conducting social engineering attacks, or enriching other data sources.
The UIDAI told The Associated Press that it had no knowledge of a “breach of the nature described”.
“UIDAI has a well-designed, multi-layered robust security system in place and the same is being constantly upgraded to maintain the highest level of data security and integrity,” the agency said.
INTRUSION OF MADHYA PRADESH POLICE NETWORK
One of the IP addresses of the Madhya Pradesh Police group was communicating with TAG-28’s Winnti C2 IP on June 1, 2021. This IP address serves a State Crime Records Bureau (SCRB) website (scrbofficial.mppolice.gov[.]
These communications resumed again between July 27 and August 9 this year leading to transfer of less than 5 MB between the two IPs. Nothing more is known as of now in terms of why this was done or what files were exchanged.
The Insikt Group strongly believes that the TAG-28 is a Chinese state-sponsored threat activity group tasked with gathering intelligence on Indian targets. Their attribution to China is predicated on their use of Winnti malware, which is exclusively shared among several Chinese state-sponsored activity groups, and their targeting of at least three distinct Indian organisations in this campaign.
Be it the BCCL intrusion or more importantly the intrusions into the UIDAI and the Madhya Pradesh Police network, these are serious cases of cyber security breach and something the Indian government and the technical firms (who are in charge of building and maintaining these networks) should take more seriously.
Intruding into systems such as the UIDAI, which possesses fingerprints, retinal scans and photographs of close to 89 per cent of India’s population, is a brilliant training data set to enhance China’s facial recognition and artificial intelligence machines and algorithms. Such real-life databases are best suited to train AI (artificial intelligence) algorithms and machine learning platforms.
Aside from the criticality of PIIs, data breaches in UIDAI or the Aadhaar databases can pose very high-security related challenges to individuals and their personal bank accounts and other functions can be hacked with PIIs.
This report by the Insikt group highlights China’s continued strategic and tactical interest in India-based organisations, both in the private and public sectors. The 2020 border skirmishes and the subsequent economic sanctions levied by the Indian government banning Chinese mobile applications from the Indian market have resulted in increased tensions between the two nations.
Gaining access and insight into Indian government departments and organisations will therefore likely remain of paramount interest to Chinese state-sponsored actors for the foreseeable future, as cyber operations play a key role in gathering intelligence on military technology or national security matters, in addition to political and foreign relation developments.
The most important thing to worry about is the cyber security preparedness of India and Indian companies. Several China-based hacking groups have stopped using tools such as Winnti and Cobalt strike to newer technologies such as Shadowpad and other malware families.
But the above-mentioned intrusions were carried out using Winnti and Cobalt strike platforms. The Indian networks were not protected against such cyber threat tools. India needs to be a step ahead in terms of protecting data in cloud, both private as well as public.
It is a fact that the Indian government recorded 1.16 million cyber security related incidents in 2020 alone, a three times spike from 2019. In 2021, India has already seen numerous high-profile hackings of citizen data which includes the leaking of personal data of 4.5 million passengers of an airline.
ESTABLISHMENT OF DEFENCE CYBER AGENCY
The Government of India recently approved the establishment of ‘Defence Cyber Agency’, under the Ministry of Defence. This agency will work towards mitigating cyber threats in all three armed services (the Indian Army, Navy, and Air Force) along with the establishment of dedicated Cyber Emergency Response Teams (CERT).
These initiatives are mainly aimed at protecting the armed forces from any kind of cyber-attacks or intrusions, especially during times of escalations at the border. In the past, reports indicated that China could look at destabilising India’s armed forces via cyber-attacks in case a full-blown war was to break out.
The Indian computer emergency response team (CERT-In) reported around 6 lakh cyber security incidents in the first half of 2021. This has expedited the formulation of the national cyber security strategy, which is in the final stages of approval.
India will be well off to specifically protect its public sector companies such as the power generation plants from cyber security intrusions like the ones mentioned above to safeguard its national installations and be ready for the future which is so heavily invested in cyber warfare.