INSUBCONTINENT EXCLUSIVE:
Amid the controversy of data harvesting by Zhenhua Data, another group of Chinese hackers is in the news for attacking and compromising
secured networks and computers belonging to the Indian government last year, court documents filed in the United States have revealed
The Chinese hackers also targeted the phone data of a Tibetan monk in India.Zhenhua Data, based in the south-eastern Chinese city of
Shenzhen, compiled a database relying heavily on public open-source data
Unlike the Zhenhua Data leak, this Chinese attack offensively targeted the database servers by connecting to the Virtual Private Network
(VPN) used by the Indian government
The court documents reviewed by India Today suggest that the Chinese attackers used both open market paid malware variants and customised
self-developed programs in their operations.Identity card of one of the Chinese hackers (Courtesy: US Department of Justice)"In 2019, the
conspirators compromised government of India websites as well as virtual private networks and database servers supporting the Government of
India," read the court document filed by acting US Attorney for the District of Columbia, Michael Sherwin
According to the indictment, they "used VPS PROVIDER servers to connect to an Open VPN network owned by the Government of India".What is
Cobalt StrikeThe charges filed by Sherwin against Chinese citizens for offensive computer intrusions allege that attackers "installed Cobalt
Strike malware on Indian government protected computers".Cobalt Strike is a readymade tool that is also used as a penetration testing tool
but is often exploited by threat actors.Agnidipta Sarkar, director cybersecurity at CMS IT Services, said Cobalt Strike allows an attacker
to deploy an agent named 'Beacon' on the victim machine
"Beacon helps the attacker to do many things as it is in-memory/file-less malware and can bypass Windows authentication, execute a payload
on a remote host without writing any data to disk and steal credentials
More dangerously, it can also leverage the capabilities of other well-known attack tools such as Metasploit and Mimikatz," Sarkar
explained.Identity card of one of the Chinese hackers (Courtesy: US Department of Justice)"In the hands of a person with malicious intent,
be it an amateur, or a professional or a government, this tool can steal data, impersonate people (using stolen credentials), or even shut
down facilities (by attacking cyber-physical capabilities)
The attacks might vary from simple mischief to a scary cybercrime, cyber espionage, cyber warfare, or even cyber terrorism," he
added.China-based actors have used Cobalt Strike malware in several attacks to target the systems in Hong Kong and India
The Chinese attackers allegedly gained unauthorised access into the systems of prominent electronic communications services and
telecommunications providers for their operation
The hackers used the data obtained from the telecommunication service providers to target government networks and individuals.Tibetan monk
in India targetedThe charges filed by US prosecutors also reveal that Chinese attackers targeted the phone data of an India-based Tibetan
The Chinese operators used a customised tool called 'SonarX' to store their harvested data
The entries filed in their database showed that the hackers had information about the Indian phone connections used by the Tibetan monk,
their chat contents, contacts and usage of digital platforms.Identity card of one of the Chinese hackers (Courtesy: US Department of
Justice)China has been facing insurgencies in Tibet, and Tibetan monks may hold the key to future public movements in Tibet
China has officially made it clear that the Tibet issue is extremely sensitive to the Chinese leadership, hinting that such attacks on
Tibetan monks in India could be on directions of the Chinese Communist Party (CCP) leadership.The AttackersThe three top individuals
involved in India operations have been identified as Chinese citizens Jiang Lizhi aka Blackfox, Qian Chuan aka Squall and Fu Qiang aka
All three individuals work for a China-based technology firm called Chengdu 404 Network Technology
Chengdu Technology has been also charged for running multiple computer-operated attacks against several countries, including the US and the
