A suspected Chinese state-sponsored hacking group has infiltrated three entities in India—a media conglomerate, a police department, and a government agency holding the personal information of more than a billion citizens—according to a new report.
“As of early August 2021, Recorded Future data shows a 261% increase in the number of suspected state-sponsored Chinese cyber operations targeting Indian organizations and companies already in 2021 compared to 2020. This follows an increase of 120% between 2019 and 2020,” the report states.
The report gave the hacking group a temporary name of TAG-28 and attributed the group’s affiliation to the Chinese regime by saying that the malware it used, Winnti, was “exclusively shared among several Chinese state-sponsored activity groups.”
The Indian media conglomerate that was hacked was Bennett Coleman and Co. Ltd. (BCCL), which is best known for publishing English-language newspapers The Times of India and The Economic Times. According to the report, four IP addresses assigned to the conglomerate were in “sustained and substantial network communications” with two Winnti servers between February and August.
“We observed approximately 500MB of data being exfiltrated from the BCCL network to the malicious infrastructure,” the report states.
The Insikt Group speculated that TAG-28 had very specific motivations for wanting to hack BCCL.
“TAG-28’s targeting of BCCL is likely motivated by wanting access to journalists and their sources as well as pre-publication content of potentially damaging articles focusing on China or its leadership,” according to the report.
The Indian government agency that was compromised was the Unique Identification Authority of India (UIDAI), which collects demographic and biometric information from people in order to issue Aadhaar cards. The cards come with a 12-digit random number that serves as proof of identity in India.
According to the report, the breach against UIDAI happened between June 10 and at least July 20. There was minimal data transfer—10 megabytes of data downloaded from the UIDAI network and 30 megabytes uploaded—which the report suggested could mean the “deployment of additional malicious tooling from the attacker infrastructure.”
The UIDAI told The Associated Press that it wasn’t aware of a “breach of the nature described.”
The report said the Chinese hackers could use information from the UIDAI database to “identify high-value targets such as government officials, enabling social engineering attacks, or enriching other data sources.”
The police department located in India’s Madhya Pradesh state was breached between July 27 to at least Aug. 9.
“Gaining access and insight into Indian government departments and organizations will therefore likely remain of paramount interest to Chinese state-sponsored actors for the foreseeable future, as cyber operations play a key role in gathering intelligence on military technology or national security matters, in addition to political and foreign relation developments,” the report warns.