State sponsored Chinese hacking group suspected to have targeted an Indian media conglomerate and other public institutes

22ND SEPTEMBER 2021- A US based cyber security company claims to have uncovered evidence that an Indian media conglomerate, a police department, and the agency responsible for handling the national identification database have been hacked. The US based cyber security company further suggested that those behind on the hack likely belong to a state sponsored Chinese hacking group. 

The Insikit Group, the branch of Massachusetts based Recorded Future responsible for threat research said that the hacking group, temporarily referred to as TAG-28, utilised the Winnti malware, a malware solely used by several Chinese state sponsored groups.  

These allegations of state sponsored hacking remain repeatedly denied by Chinese authorities, who countered with the claim that China is a major target of cyber security attacks.   

Relations between India and China are currently strained, with further tensions escalated by repeated border clashes that occurred last year and this year. In the report, the Insikit Group suggested that the cyberattacks are associated with those border tensions.  

The Insikit Group reported that “as of early August 2021, Recorded Future data shows a 261% increase in the number of suspected state-sponsored Chinese cyber-operations targeting Indian organizations and companies already in 2021 compared to 2021”.  

The group also reported that four IP addresses attached to the Bennett Coleman and Co Ltd media conglomerate have been in “sustained and substantial network communications” with two Winnti servers between February and August. Approximately 500 megabytes of data was stolen from the media conglomerate, whose publications include The Times of India.  

The content of the data is unknown however it should be noted that the company frequently broadcasts the tensions between China-India relations. It is believed that the hackers were incentivised by the gain “access to journalists and their sources as well as pre-publication content of potentially damaging articles”.   

The chief information officer for Bennett Coleman and Co Ltd commented that CERT-In, the government agency that handles cybersecurity threats reported to them news of the suspected hack and handled it several weeks prior. The data under threat was in the “DNS queries category, which got blocked/dropped at our defence infrastructure”. The hack was classified as “non-serious alerts and false alarms”.  

The Insikit Group also reported that in a similar manner, 5 megabytes of data was stolen from the police department of Madhya Pradesh state, whose chief minister Shrivaj Singh Chouhan called for a boycott of Chinese manufactured goods following the June 2020 border clash between the two nations.   

No further comments have been voiced by the chief minister.  

Further stated in the report, a compromise occurred between June and July in the UIDAI (Unique Identification Authority of India), the government agency that oversees the national identification database. It was reported that 10 megabytes of data was downloaded from the network and that approximately 30 megabytes were uploaded, “indicating the deployment of additional malicious tooling from the attacker infrastructure.” The data is of high security as the data could be used to identify government officials and other high ranking public officials.  

The UIDAI denied this claim and assured that the “UIDAI has a well-designed, multi-layered robust security system in place and the same is being constantly upgraded to maintain the highest level of data security and integrity”.  

Recorded Future stated that prior to publication, those targeted by the hackers were notified and provided with full findings of the report.  

UPDATE 24TH SEPTEMBER 2021 

China’s Foreign Ministry denounces the report composed by the US based cyber security company as “entirely made up”.  

The Foreign Ministry stated that “this cyber security company has repeatedly fabricated similar incidents to smear the Chinese government”.  

The Indian government agency also denied the report, assuring the encryption of its database and that the data was only accessible to those with multi-factor authentication.  

Bennett and Coleman & Co also denied the report, stating that the “alleged exfiltration” was thwarted by its cyber-security defences.