China continues to pose cybersecurity threats to India


Security analysts and war historians often quote that the next world war will not be fought on the ground, in the air or under water, but rather virtually in the cyber world. China has been a nemesis for countries like the US and those in Europe for decades. Recently, Chinese hackers are also heavily infiltrating Indian cyberspace.

Since the border skirmishes between India and China in May 2020, Chinese hacker groups have regularly attacked Indian public sector companies and technical facilities via cybersecurity breaches.

Shortly after the clash in the Galwan Valley, a Chinese group of hackers popularly known as RedEcho attempted attacks on networks and seaports in the Indian electricity sector. The RedEcho group is allegedly part of the Chinese military intelligence service based in Urumqi in northwest China.

In particular, the hackers attempted to breach the security of the regional electricity load distribution centers across central India, which are responsible for running the electricity grid, by balancing electricity supply and demand.

The main reasons for conducting such an activity will be to sniff out or conduct espionage activity and use it for future escalations should the two countries come up against each other again.

Now, a report by the US-based Insikt Group, which consists of a team of seasoned threat researchers who assist intelligence analysts, engineers, and data scientists who conduct cybersecurity and intelligence analysis, states that hackers originating in China are launching a range of cyberattacks against high-level cyberattacks Indian destinations including the Times Group’s Bennett Coleman And Co Ltd, (BCCL) and the UIDAI (Unique Identification Authority of India) and the Madhya Pradesh Police Department to name a few.


The method of targeting international media has long been a common practice for China-based hacking groups. Historically, news outlets such as the New York Times, Washington Post and Bloomberg News were attacked and hacked when they discovered that some of the articles published by these networks showed China “not quite right”.

Several news channels were also targeted during the protests in Hong Kong. Now, the Insikt group’s report states that several cyber break-ins have been carried out by a group with the temporary name “TAG-28” in the BCCL, although this has yet to be confirmed by the Times group.

BCCL, commonly known as The Times Group, is a privately held company headquartered in Mumbai that publishes The Times of India. BCCL operates across multiple media including publishing, television, Internet, and radio.

The Insikt group reveals that between February and August 2021, four BCCL assigned IPs (Internet Protocol) were identified that were in sustained and significant network communication with two Winnti C2 servers (belonging to the hacking group) and a third likely to be Cobalt Strike C2 , a specification that enables third-party programs to act as the communication layer for the Cobalt Strike beacon payload.

Winnti is malware that has been used by Chinese cyber crime and cyber espionage threat actors since 2009. The beacon essentially helps with the unauthorized execution of PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and generating other payloads.

While there is no possible confirmation of what type of data was accessed, reports suggest that files with a data volume of approximately 500MB were exfiltrated from the BCCL network to the intruders. The Insikt team was able to assert the intrusion into the BCCL network by identifying the registered IP addresses of the BCCL that were exposed to targeted attacks.

They were also able to identify multiple domain names on the BCCL network associated with the targeted IP addresses. One of the IP addresses provided an SSL certificate as “* .timesnetwork”[.]in.”.

The group claims that a possible motivator for the hackers would have been access to journalists and their sources, as well as prior to publishing potentially harmful articles focusing on China or its leadership.

The report shows that these break-ins coincided with the publication of two specific stories discussing the Indian Navy’s mega-exercise in the Indian Ocean on February 10 and the failed connection between China, Pakistan and Turkey on February 11.


The Insikt report speaks of the alleged compromise of the UIDAI database between July 10th and 20th of this year. The UIDAI is the Indian government agency responsible for Aadhaar’s national identification database. It contains private, identifying and biometric information for over 1 billion Indian citizens.

It has been observed that two IP addresses registered with UIDAI were communicating with the same alleged Cobalt Strike C2 server used for the target by BCCL. Unlike the BCCL intrusion, less than 10MB of data was exfiltrated from the UIDAI database, but more importantly, 30MB of data was ingested, suggesting the potential for additional malicious tools to be deployed from the attacker’s infrastructure.

While the Aadhaar database and platform has seen numerous controversies in the past regarding data leaks, hacks, and security breaches, it still remains a vast amount of critical sources for PIIs (Personally Identifiable Information) of Indian citizens.

The TAG-28 group likely targeted the UIDAI because of their ownership of the Aadhaar database. Large PII datasets are valuable to both nation-state and criminal threat actors for a number of reasons, including identifying potentially high-value intelligence targets such as government officials, enabling surveillance, performing social engineering attacks, or enriching other data sources.

The UIDAI told The Associated Press that it was not aware of any “violation of the nature described”.

“UIDAI has a well-designed, layered, robust security system that is constantly updated to ensure the highest levels of data security and integrity,” said the agency.


One of the IP addresses of the Madhya Pradesh police group communicated with the Winnti C2-IP of TAG-28 on June 1, 2021. This IP address serves a website of the State Crime Records Bureau (SCRB) ([.]in), which provides links to various web and mobile applications operated by SCRB.

That communication resumed between July 27th and August 9th of this year, resulting in less than 5MB transfer between the two IPs. Why this happened or which files were exchanged is currently no longer known.


Insikt Group firmly believes that TAG-28 is a Chinese state sponsored threat activity group tasked with gathering intelligence on Indian targets. Her attribution to China is based on her use of Winnti malware shared solely by several Chinese government sponsored activity groups and targeting at least three different Indian organizations in this campaign.

Be it the BCCL intrusion or, more importantly, the UIDAI and Madhya Pradesh Police network, these are serious cyber security breach incidents and something that the Indian government and tech firms (those responsible for building and who are responsible for maintaining these networks) should take them more seriously.

Penetrating systems like the UIDAI, which owns fingerprints, retinal scans, and photos of nearly 89 percent of India’s population, is a brilliant training set of data to improve China’s facial recognition and artificial intelligence machines and algorithms. Such real databases are best suited for training AI (artificial intelligence) algorithms and machine learning platforms.

Aside from the criticality of PIIs, data breaches in UIDAI or Aadhaar databases can pose very high security-related challenges for individuals and their personal bank accounts and other functions can be hacked using PIIs.

This Insikt Group’s report highlights China’s continued strategic and tactical interest in India-based organizations, both in the private and public sectors. The 2020 border skirmishes and subsequent economic sanctions by the Indian government banning Chinese mobile applications from the Indian market have created heightened tensions between the two nations.

Gaining access to and insights into Indian government departments and organizations is therefore likely to remain of great interest to Chinese state-sponsored actors for the foreseeable future, as cyber operations play a key role in the collection of information on military technology or national security issues in addition to political ones and the development of external relations .

The most important thing to worry about is the cybersecurity readiness of India and Indian companies. Several China-based groups of hackers have stopped using tools like Winnti and Cobalt Strike on newer technologies like Shadowpad and other families of malware.

But the intrusions mentioned above were carried out using Winnti and Cobalt attack platforms. The Indian networks were not protected against such cyber threat tools. India needs to be one step ahead in protecting data in the cloud, both private and public.

It is a fact that the Indian government recorded 1.16 million cybersecurity-related incidents in 2020 alone, a three-fold increase from 2019. By 2021, India has seen numerous high-profile citizen data hackings, including personal data leakage 4.5 million airline passengers.


The Indian government recently approved the establishment of a Defense Cyber ​​Agency under the Ministry of Defense. This agency will work to contain cyber threats in all three armed forces (Indian Army, Navy and Air Force) and to set up dedicated Cyber ​​Emergency Response Teams (CERT).

These initiatives are mainly aimed at protecting the armed forces from any kind of cyber attack or break-in, especially during times of escalation at the border. In the past, reports suggested that China could attempt to destabilize India’s armed forces with cyberattacks should a full-blown war break out.

The Indian Computer Emergency Response Team (CERT-In) reported around 6 lakh cybersecurity incidents in the first half of 2021. This has accelerated the formulation of the national cybersecurity strategy, which is in the final stages of approval.

India will be well positioned to target its public corporations like the power plants from cyber security attacks like the ones above, to protect its national installations, and to be prepared for the future that is so heavily invested in cyber warfare.


About Author

Leave A Reply