Suspected Chinese Hacker Group Targets Media and Government in India, Report Says

By Frank Fang
Frank Fang
Frank Fang
journalist
Frank Fang is a Taiwan-based journalist. He covers news in China and Taiwan. He holds a master's degree in materials science from Tsinghua University in Taiwan.
September 23, 2021 Updated: September 23, 2021

A suspected Chinese state-sponsored hacking group has infiltrated three entities in India—a media conglomerate, a police department, and a government agency holding the personal information of more than a billion citizens—according to a new report.

The Insikt Group, a threat research arm of U.S.-based cybersecurity company Recorded Future, published the report on Sept. 21, saying China had a “growing strategic interest in India” in recent years.

“As of early August 2021, Recorded Future data shows a 261% increase in the number of suspected state-sponsored Chinese cyber operations targeting Indian organizations and companies already in 2021 compared to 2020. This follows an increase of 120% between 2019 and 2020,” the report states.

The report gave the hacking group a temporary name of TAG-28 and attributed the group’s affiliation to the Chinese regime by saying that the malware it used, Winnti, was “exclusively shared among several Chinese state-sponsored activity groups.”

In September 2020, five Chinese hackers, who are part of a hacking group known as “APT41” had access to Winnti malware, when they were charged by the U.S. Justice Department for allegedly stealing information from more than 100 companies and entities around the world. APT41 is known for having ties to China’s Ministry of State Security, the communist regime’s chief intelligence agency.

The Indian media conglomerate that was hacked was Bennett Coleman and Co. Ltd. (BCCL), which is best known for publishing English-language newspapers The Times of India and The Economic Times. According to the report, four IP addresses assigned to the conglomerate were in “sustained and substantial network communications” with two Winnti servers between February and August.

“We observed approximately 500MB of data being exfiltrated from the BCCL network to the malicious infrastructure,” the report states.

The Insikt Group speculated that TAG-28 had very specific motivations for wanting to hack BCCL.

“TAG-28’s targeting of BCCL is likely motivated by wanting access to journalists and their sources as well as pre-publication content of potentially damaging articles focusing on China or its leadership,” according to the report.

The Indian government agency that was compromised was the Unique Identification Authority of India (UIDAI), which collects demographic and biometric information from people in order to issue Aadhaar cards. The cards come with a 12-digit random number that serves as proof of identity in India.

According to the report, the breach against UIDAI happened between June 10 and at least July 20. There was minimal data transfer—10 megabytes of data downloaded from the UIDAI network and 30 megabytes uploaded—which the report suggested could mean the “deployment of additional malicious tooling from the attacker infrastructure.”

The UIDAI told The Associated Press that it wasn’t aware of a “breach of the nature described.”

The report said the Chinese hackers could use information from the UIDAI database to “identify high-value targets such as government officials, enabling social engineering attacks, or enriching other data sources.”

The police department located in India’s Madhya Pradesh state was breached between July 27 to at least Aug. 9.

“Gaining access and insight into Indian government departments and organizations will therefore likely remain of paramount interest to Chinese state-sponsored actors for the foreseeable future, as cyber operations play a key role in gathering intelligence on military technology or national security matters, in addition to political and foreign relation developments,” the report warns.

In a separate report published in June, the Insikt Group identified another hacking group called RedFoxtrot, which is linked to the Chinese military, for targeting companies and government organizations in countries in Central and South Asia. 

Frank Fang
Frank Fang
journalist
Frank Fang is a Taiwan-based journalist. He covers news in China and Taiwan. He holds a master's degree in materials science from Tsinghua University in Taiwan.