wordpress blog stats
Connect with us

Hi, what are you looking for?

China’s contract hackers likely tried to get their hands on Aadhaar data: Report

A China-linked group likely targetted the UIDAI and Indian news outlets with Winnti Malware, according to the report.

The Unique Identification Authority of India (UIDAI), along with Bennet Coleman and Co Ltd (the parent company of Times of India) and Madhya Pradesh Police were allegedly victims of Chinese state-sponsored cyber attacks, said a report by US-based cybersecurity company Recorded Future.

The hacker group temporarily named as TAG-28 by the cybersecurity firm allegedly targeted UIDAI due to its Aadhar database, which the firm defined as: “bulk personally identifiable information datasets (which) are valuable to state-sponsored threat actors”. The company correlated TAG-28’s targeting of Bennet Coleman with the group’s long history of perpetrating intrusions against international media outlets.

This report comes months after Recorded Future, in another report, said that a Chinese-state-sponsored hacker group People’s Liberation Army’s Unit 69010 had targeted Indian defence research organisations and others. Earlier, it was revealed that another Chinese hacker group Red Echo had hacked into India’s power grid. This was confirmed by TS Transco who identified an external attempt to take control of its servers and foiled it by taking precautionary measures.

If the claims made in the report are true, then it would be evidence of China’s continued strategic and tactical interest in India-based organisations, both in the private and public sectors.

While we have not yet received a response from the Times of India Group regarding the matter, UIDAI said that it had no “knowledge” of such a breach.

Advertisement. Scroll to continue reading.

The UIDAI database (Aadhaar Database) is encrypted and not accessible through public portal/ IPs. The public facing interface of UIDAI is the portal services hosted on World Wide Web (WWW) served through static IPs and the traffic on these IPs are inbound and outbound to a tune of several terabytes on daily basis. The public portal service is encrypted and is only made available to individual querying residents through multi-factor authentication of the residents themselves — UIDAI spokesperson

Around 500 MB of data exfiltrated from Bennet Coleman

The Recorded Future report said that between February and August 2021, 4 IPs assigned to Bennet Coleman were identified as having been targeted by Chinese actors. “Although we cannot confirm what data specifically was accessed, we observed approximately 500 M of data being exfiltrated from the BCCL network to the malicious infrastructure,” the report said.

Recorded Future’s reasons for concluding that the targeted infrastructure is operated by Bennet Coleman:

  • 2 of the targeted IPs are advertised as registered to Bennett Coleman And Co Ltd by an autonomous system.
  • Multiple BCCL domain names are associated with 2 of the targeted IPs
  • Targeted IP serves an SSL certificate for BCCL domain *.timesnetwork[.]in.
  • A checkPoint firewall device using one of the IP address on TCP port 264 returns the device hostname TIMESTRADEHOUSE-SM.timesgroup[.]com.
  • A likely DNS resolver using one of the IP address returns the hostname *****.timesgroup.com

The report said that a majority of the exfiltrated data that Recorded Future was able to identify “coincided with reports in the Economic Times of a US Navy freedom patrol in the Indian Ocean”.

While the timing of the initial intrusion and exfiltration activity coinciding with notable naval-related articles is circumstantial evidence of possible intent, it remains plausible that TAG-28’s objectives may have included targeting the media group to garner insight into Indian ocean naval matters or perceived anti-China reporting — Recorded Future report

UIDAI’s IP addresses  were in ‘communication’ with threat actors

The report said, between June 10 and at least July 20, 2021, 2 IPs registered to UIDAI were observed communicating with one of the servers that allegedly targeted BCCL. “Data transfer sizes were comparatively modest from the UIDAI network based on our visibility. Less than 10 MB of data was egressed with an ingress of almost 30 MB, possibly indicating the deployment of additional malicious tooling from the attacker infrastructure,” the report opined. No other information was provided on the alleged attack on UIDAI.

As for the alleged attack on Madhya Pradesh Police, Recorded Future said that it had identified an MP Police IP address in communication with a Chinese threat actor’s IP address on June 1. “The MPP IP serves a State Crime Records Bureau (SCRB) website (scrbofficial.mppolice.gov[.]in), which provides links to various web and mobile applications operated by SCRB,” it said.

Later, network activity was also observed between another SCRB IP address and Chinese threat actors between July 27 to August 9, the report added. “Based on limited visibility, observed less than 5 MB of data transfer between the MPP and Winnti server (Chinese) during the considered time frame,” it added.

What is Winnti Malware? According to the report, Winnti malware has historically been used by several Chinese state-sponsored groups, including APT41/Barium and APT17, and is commonly associated with activity linked to multiple groups of loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS).

Advertisement. Scroll to continue reading.

Proposed solutions

Recorded Future urged stakeholders to follow these measures to detect and mitigate activity associated with TAG-28

  • Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on external IP addresses and domains associated with TAG-28.
  • Ensure operating systems and software are up to date with the latest patches to protect against known vulnerabilities.

US and allies accuse China of malicious cyber activity

In a press release issued from the White House in July this year, the USA along with its allies such as the United Kingdom and the European Union accused China of:

Hiring criminal contract hackers: The US accused China of fostering an intelligence enterprise that includes “contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit.”

Ransomware attacks against private companies: The US also stated that China’s government-linked cyber operators have conducted ransomware operations against private companies demanding millions of dollars in ransom.

Targeting government institutions and political organisations in the EU: The EU in its press release said that China-based hacker groups known as Advanced Persistent Threat 40 and Advanced Persistent Threat 31 targeted government institutions and political organisations in the EU and member states “for the purpose of intellectual property theft and espionage.”

Also Read

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ