[BreachExchange] Indian government, media targeted by Chinese hackers: Report

Thu Oct 7 14:38:58 EDT 2021

https://www.dailysabah.com/world/asia-pacific/indian-government-media-targeted-by-chinese-hackers-report

A state-sponsored Chinese group hacked an Indian media conglomerate, a
police department and the agency responsible for the country's national
identification database, a U.S.-based private cybersecurity company said
Wednesday.

The Insikt Group, the threat research division of Massachusetts-based
Recorded Future, said the hacking group, given the temporary name TAG-28,
made use of Winnti malware, which it said is exclusively shared among
several Chinese state-sponsored activity groups.

Chinese authorities have consistently denied any form of state-sponsored
hacking and said China itself is a major target of cyberattacks.

The allegation has the possibility of increasing friction between the two
regional giants, whose relations have already been seriously strained by a
border dispute that has led to clashes this year and last year.

In its report, the Insikt Group suggested the cyberattack could be related
to those border tensions.

“As of early August 2021, Recorded Future data shows a 261% increase in the
number of suspected state-sponsored Chinese cyber operations targeting
Indian organizations and companies already in 2021 compared to 2020,” the
organization said in a report.

The Insikt Group said it detected four IP addresses assigned to the Bennett
Coleman And Co. Ltd. media company in “sustained and substantial network
communications” with two Winnti servers between February and August.

It said is observed approximately 500 megabytes of data being extracted
from the network of the privately owned Mumbai company, whose publications
include The Times of India.

Insikt said it could not identify the content of that data, but noted that
the company frequently publishes reports on China-India tensions, and that
the hack was likely motivated by “wanting access to journalists and their
sources as well as pre-publication content of potentially damaging
articles.”

Rajeev Batra, chief information officer for Bennett Coleman, said the
company also received information on the suspected hack from CERT-In, the
government agency that deals with cybersecurity threats, and responded to
it several weeks ago.

Most of the data was in the “DNS queries category, which got
blocked/dropped at our defense infrastructure,” he said in an emailed
comment. The company's own investigation of the hack classified the
incident as “non-serious alerts and false alarms,” he said.

The Insikt Group said it also observed about 5 megabytes of data
transferred in a similar fashion from the police department of Madhya
Pradesh state, whose chief minister, Shivraj Singh Chouhan, called for a
boycott of Chinese products after June 2020 border clashes with India.

The police department did not immediately respond to an email seeking
comment.

As the group was investigating the Bennett Coleman hack, it said it also
identified a compromise in June and July of the Unique Identification
Authority of India, or UIDAI, the government agency that oversees the
national identification database.

In that case, it detected about 10 megabytes of data downloaded from the
network and almost 30 megabytes uploaded, “possibly indicating the
deployment of additional malicious tooling from the attacker
infrastructure.”

It suggested such a database could be used by hackers to identify
“high-value targets, such as government officials, enabling social
engineering attacks or enriching other data sources.”

UIDAI told The Associated Press that it had no knowledge of a “breach of
the nature described.”

“UIDAI has a well-designed, multi-layered robust security system in place
and the same is being constantly upgraded to maintain the highest level of
data security and integrity,” the agency said.

Recorded Future said all victims of the hacks were notified ahead of the
publication of the report and provided with its full findings.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211007/0a8fde4f/attachment.html>