A state-sponsored Chinese group has been accused of hacking an agency responsible for India’s national identification database as well as a police department and media company, sparking fears over a potentially massive data breach.
Cybersecurity company Insikt Group, part of US-based Recorded Future, claimed the hacking group, given the temporary name TAG-28, made use of Winnti malware to steal hundreds of megabytes of data, including from a Mumbai company whose publications include The Times of India.
Experts said Winnti malware is exclusively shared among several Chinese state-sponsored activity groups.
However Chinese authorities have consistently denied any form of state-sponsored hacking.
Recorded Future said its data showed a 261 per cent increase in the number of suspected state-sponsored Chinese cyber operations targeting Indian organisations and companies in 2021 so far, compared to the whole of 2020.
The action was thought to be politically motivated, with Insikt suggesting the cyberattack could be related to border issues.
Insikt said it could not identify the content of the 500 megabytes of data taken from the Bennett Coleman And Co Ltd media company between February and August, but noted that the company frequently publishes reports on China-India tensions, and that the hack was likely motivated by “wanting access to journalists and their sources as well as pre-publication content of potentially damaging articles”.
The Insikt Group said it also observed about 5 megabytes of data transferred from the police department of Madhya Pradesh state, whose chief minister, Shivraj Singh Chouhan, called for a boycott of Chinese products after June 2020 border clashes with India.
And the group also identified a breach in June and July of the Unique Identification Authority of India, or UIDAI, the government agency that oversees the national identification database.
In that case, it detected about 10 megabytes of data downloaded from the network and almost 30 megabytes uploaded, “possibly indicating the deployment of additional malicious tooling from the attacker infrastructure”.
UIDAI told the Associated Press that it had no knowledge of a “breach of the nature described”.
Additional reporting by agencies