Report: China-linked hackers take aim at Times of India and a biometric bonanza

When Chinese and Indian troops clashed in the Galwan Valley border region last year, the battle was decidedly low-tech—the two sides went after each other with rocks and clubs. Now, more than a year later, the skirmish has moved to cyberspace.

A new study suggests that back in February, China-linked hackers launched a series of cyber attacks against a roster of key Indian targets including the country’s largest media conglomerate, the Bennett Coleman And Co Ltd, (BCCL), and the Unique Identification Authority of India (UIDAI) database, which contains a motherlode of biometric information.

In a new report, investigators from Recorded Future say they have traced the breach to a particular group known as TAG-28, a Chinese state-sponsored unit whose focus is gathering intelligence from targets in the Indian subcontinent. (Recorded Future is the parent company of The Record.)

Cybersecurity analysts say it is no accident that the tete-a-tete on the border was followed by an onslaught in cyber space. 

“China has a pretty far reaching malware buried in India’s infrastructure and they have been fairly restrained until recently,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University. She has seen an acceleration in cyber space since then not just from China, but from India too. “But in terms of capabilities,” she said. “It is fairly lopsided.” 

China’s decision to hack BCCL, an Indian media conglomerate that publishes the largest English-language daily in the world, The Times of India, should come as no surprise, Wolff said. 

“The Chinese government really cares about its image and portrayal in the world,” she said. 

Investigators from Recorded Future say it is impossible to determine precisely what hackers stole when they cracked into the BCCL network, but some 500 MB of data was transferred to an off-site server  the hackers controlled.

Media Focus

The BCCL computers could provide everything from journalists’ notes and sources to articles about China that have yet to be published. The Times of India reported extensively on last year’s violence on the border, and has been writing about the RedEcho and RedFoxtrot cyber attacks that have rocked India since last year. 

The two hacking groups are thought to be China-linked and predominantly target government, defense, and telecommunications sectors across Central Asia, India, and Pakistan. RedFoxtrot is thought to be part of a Chinese military intelligence unit based in Urumqi, in northwestern China.

BCCL, which did not respond to numerous requests for comment, is hardly being singled out. Beijing-directed attacks on news organizations are almost standard operating procedure. 

As far back as 2008, China-backed hackers stole emails, contacts and files from journalists covering the mainland. Back in 2013, the New York Times, the Washington Post, and Bloomberg News were all targeted by Chinese hackers after they published articles that appeared to present China in a less than favorable light. During the Umbrella Movement protests in Hong Kong in 2014, pro-democracy news outlets were similarly breached. 

“For the Chinese hacking media outlets is an old story,” Wolff said. “They’ve been motivated by some combination of wanting to know who is talking to the media and wanting to know ahead of time what people are reporting on.” 

Last month, in what appeared to be a response to the BBC’s reporting on human rights abuses against Uighurs in China, Beijing-linked hackers launched an online influence operation that claimed that the BBC was using what they called a “gloom filter” to make images coming out of China seem bleak and dull, according to Recorded Future research.

Biometrics Bonanza

The intrusion into UIDAI, the agency that administers India’s Aadhaar system, could offer China not just intelligence, but also training data for its artificial intelligence machine. 

The Indian government assigns a unique 12-digit identity number to all Indian citizens and they need the number to receive basic government services. To get the coveted ‘Aadhaar Card,’ Indians have to provide fingerprints, retina scans and photographs. Aadhaar is thought to now have 1.2 billion individual files, covering about 89 percent of India’s population.

China has enormous artificial intelligence ambitions and aims to lead the world in a technology that allows computers to perform tasks that have traditionally required human intelligence — such as finding patterns and recognizing speech or faces. In order to do that, it needs information for the AI to learn on. So that’s one reason to hack the database.

“Bulk personally identifiable information (PII) are valuable to state-sponsored threat actors,” the new report says, adding the information can help nation-state actors in “identifying high-value targets such as government officials, enabling social engineering attacks, or enriching other data sources.”

Wolff says there is a second reason the Aadhaar database is so enticing: much of day-to-day life in India requires biometric information and nearly all of it is housed in the same place, the Aahaar databaser. “There is huge potential for logging into people’s accounts by using biometrics,” she said. “Just think of it—if you are trying to log onto a protected system you would have a good shot of biometrics being part of that log in. Or if you wanted to know which services people are using, iris scans would be really valuable. It would give them access to social welfare programs, so they could extort people by threatening to block access to food or health care.”

By way of comparison, when China steals fingerprints from some place like the Office of Personnel Management, one motivation for doing so might be to determine whether there are spies in China working for the U.S. government. But the U.S., as a general matter, doesn’t really authenticate things with fingerprints. Biometrics offer more.

“Biometrics are identification on steroids,” Wolff said. “Biometrics are forever. You can’t change your fingerprints or a retinal scan, so it is a more efficient form of stealing credentials.”

Since the Aahdaar system’s inception in 2009, critics have worried aloud about its security. Fraudulent Aahaar websites that look like the real thing are rife. Three years ago, in 2018, several hundred official government websites accidentally made a raft of personal Aahdaar public. And now, the new report says, China may have the ability to do that too. 

Officials from the UIDAI and the Chinese embassy did not respond to repeated requests for comment.