Chinese State-Backed Hackers Targeted India's Government Agency And Times Group Using Winnti Malware

Over the years, several cybersecurity investigations have highlighted China’s state-sponsored hacking campaign, targeting foreign governments, businesses and intellectual property. Recently, a probe by United States’ Massachusetts-based cybersecurity company has revealed that the latest targets of the Chinese cybercriminals include an Indian government agency and one of the biggest media organisations in the country.

American cybersecurity company Recorded Future, as India continues to be a target of hostile cyber activities carried out by Chinese state-sponsored hacking, has identified “suspected intrusions” targeting the Indian media house Bennett Coleman And Co Ltd (BCCL), also known as the Times Group, which publishes the Times of India; the Unique Identification Authority of India (UIDAI), which contains the private biometric information of more than 1 billion citizens of India — the identification database also known as Aadhaar — and the Madhya Pradesh Police department.

In a report Recorded Future said: “These intrusions were conducted by an activity group we track using a temporary designation, TAG-28”.

It also stated that while targeting news organisations is not a newly adopted tactic by the cybercriminals, considering the previous attacks on New York Times, Washington Post and Bloomberg News as well as pro-democracy news outlets in Hong Kong by Chinese hackers, “TAG-28’s Winnti campaign targeting BCCL is the latest in a long line of targeted intrusions against international media outlets”.

As reported, even though the report noted that during intrusions tracked between June and July of this year, the Indian authority's networks were believed to have been breached, it is unclear what information was obtained.

The UIDAI claimed it was unaware of the incident and that its database was encrypted. The government agency also stated that the database was only accessible to users who had completed multifactor authentication. As reported by Bloomberg, the agency said that it had a “robust security system in place” that was upgraded frequently to maintain the “highest level of data security and integrity”.

The cybersecurity investigation also revealed that between February and August, data was stolen from the BCCL, however, it was unclear what data was stolen. Bur the media house denied the report, claiming that its cybersecurity measures prevented the "alleged exfiltration". Additionally, in an internal security report, Rajeev Batra, the Times Group's chief information officer, labelled the attacks as "non-serious alerts and false alarms".

Modus Operandi

Recorded Future said it identified suspicious network traffic patterns between servers used by the government agency and media company and servers used to administer and control the hackers' malware using a combination of detection techniques and traffic analysis data.

In the report, the firm stated: “Based on our visibility, Insikt Group [Recorded Future’s team of veteran threat researchers] strongly believes TAG-28 is a Chinese state-sponsored threat activity group tasked with gathering intelligence on Indian targets. Our attribution to China is predicated on their use of Winnti malware, which is exclusively shared among several Chinese state-sponsored activity groups, and their targeting of at least 3 distinct Indian organizations in this campaign.”

In addition to data being allegedly funnelled, Recorded Future believes that malicious software was likely embedded inside the agency's and media businesses' computer networks, allowing hackers to extract data on demand.

According to Jonathan Condra, the lead analyst on Recorded Future’s report, from the media company's networks, he was able to monitor "sustained communications” over the course of a single five-day session. He added that there were also strong indications that the communications originated within the Times' computer networks and were directed to malicious servers, suggesting “a successful implant communicating outwards".

Regarding the Winnti malware, Condra said that it is an old hacking tool and over the years, it has been shared by a vast number of Chinese APT groups.

However, another tool called Cobalt Strike was used by cybercriminals. It is a network defensive tool that has been adopted by threat actors, not just in China but worldwide as a means of putting ambiguity into attribution efforts, said Condra.

According to Recorded Future, the number of suspected state-sponsored Chinese cyber activities targeting Indian companies increased by 261 per cent from 2020 to August of this year amid escalating tension between the two countries. According to Condra, the suspected incursions date back to the outset of a violent confrontation between Indian and Chinese forces at a Himalayan border post.

The firm believes that the UIDAI was targeted due to its biometric database, while the data theft is yet to be established. According to Condra, the ability to possibly identify government officials, enable social engineering attacks, or add to data previously obtained on possible targets is the value of such mass personal identity data. Similarly, the report claimed that The Times Group could have been targeted because of its coverage of India-China tensions, which was likely driven by a desire to get access to journalists and their sources.