A U.S.-based company Recorded Future has released a report which says a hacking group sponsored by China hacked The Times of India (ToI) group, Aadhaar issuer UIDAI, and Madhya Pradesh Police Department.
The company says the TAG-28 hacking group used Winnti malware- an exclusive malware that several such Chinese state-sponsored groups use, including the APT41/ Barium group which allegedly breached Air India.
Earlier this year, the same company had claimed that the Chinese state-sponsored group, Red Echo had caused the Mumbai blackouts on October 13, 2020. It said, “Red Echo has been seen to systematically utilize advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.” The company had reported its finding to Cert-In.
Potential reasons for the attacks
Recorded Future’s threat research division Insikt Group says it has identified further suspected intrusions into ToI, UIDAI, and MP Police. IT says the group targeted UIDAI since the agency stores personally identifiable information in bulk. The data could help the Chinese government officials identify high-value targets and use the intelligence further.
About the attack on ToI, the group says TAG-28 likely attacked the news organisation for the want of access to journalists and their sources as well as pre-publication content which could potentially damage China’s image.
500 MB Data Exfilatrated From BCCL (ToI)
Insikt Group says it was able to identify 4 IP addresses, between February 2021 to August 2021, which the hacking group targeted. The group says, ” Although we cannot confirm what data specifically was accessed, we observed approximately 500 MB of data being exfiltrated from the BCCL network to the malicious infrastructure.”
The group was able to attribute the attacked infrastructure to ToI from the fact that 2 of the target IP addresses were advertised as registered to BCCL. Secondly, multiple BCCL domain names are associated with 2 of the target IPs.
Thirdly, the target IP address uses an SSL certificate for BCCL domain *.timesnetwork[.]in. Lastly, a likely DNS resolver using a target IP address returns the hostname MDC-LLB-F5-01.timesgroup[.]com.
The group says the majority of exfiltration that it observed coincided with reports in the Economic Times of a US Navy patrol in the Indian Ocean.
Several Additional Tools to infiltrate into UIDAI
Insikt group says it identified an ongoing compromise of the UIDAI between June 10 and July 20th, 2020. It observed two IP addresses registered to UIDAI were communicating with the same C2 server used to target BCCL.
However, the company added:
“Data transfer sizes were comparatively modest from the UIDAI network based on our visibility. Less than 10 MB of data was egressed with an ingress of almost 30 MB, possibly indicating the deployment of additional malicious tooling from the attacker infrastructure.”
However, UIDAI said it had no knowledge of any such breach. Speaking to Medianama, it said.
“The UIDAI database (Aadhaar Database) is encrypted and not accessible through public portal/ IPs. The public facing interface of UIDAI is the portal services hosted on World Wide Web (WWW) served through static IPs and the traffic on these IPs are inbound and outbound to a tune of several terabytes on daily basis. The public portal service is encrypted and is only made available to individual querying residents through multi-factor authentication of the residents themselves.”
Attack on Madhya Pradesh Police
Regarding the attacks on MP Police, the group said it identified the organization’s IP address was in communication with a Winnti C2 IP address on June 1, 2021. The IP in question serves a State Crime Records Bureau (SCRB) website [scrbofficial.mppolice.gov.in]. This IP provides links to web and mobile applications that the SCRB uses.
Posts analysis, Insikt has suggested a few to detect and mitigate possible intrusions. It says organizations can block connection attempts from domains known to be associated with TAG-28, as a preventive measure. Further, they should ensure operating systems and software are up to date with the latest security updates to protect against known vulnerabilities.
They can also use the group’s own ‘Hunting Package’ to hunt and detect malware families that TAG-28 uses.