Amid the controversy of data harvesting by Zhenhua Data, another group of Chinese hackers is in the news for attacking and compromising secured networks and computers belonging to the Indian government last year, court documents filed in the United States have revealed.
The Chinese hackers also targeted the phone data of a Tibetan monk in India.Zhenhua Data, based in the south-eastern Chinese city of Shenzhen, compiled a database relying heavily on public open-source data.
Unlike the Zhenhua Data leak, this Chinese attack offensively targeted the database servers by connecting to the Virtual Private Network (VPN) used by the Indian government.
The court documents reviewed by India Today suggest that the Chinese attackers used both open market paid malware variants and customised self-developed programs in their operations.Identity card of one of the Chinese hackers (Courtesy: US Department of Justice)"In 2019, the conspirators compromised government of India websites as well as virtual private networks and database servers supporting the Government of India," read the court document filed by acting US Attorney for the District of Columbia, Michael Sherwin.
According to the indictment, they "used VPS PROVIDER servers to connect to an Open VPN network owned by the Government of India".What is Cobalt StrikeThe charges filed by Sherwin against Chinese citizens for offensive computer intrusions allege that attackers "installed Cobalt Strike malware on Indian government protected computers".Cobalt Strike is a readymade tool that is also used as a penetration testing tool but is often exploited by threat actors.Agnidipta Sarkar, director cybersecurity at CMS IT Services, said Cobalt Strike allows an attacker to deploy an agent named 'Beacon' on the victim machine.
"Beacon helps the attacker to do many things as it is in-memory/file-less malware and can bypass Windows authentication, execute a payload on a remote host without writing any data to disk and steal credentials.
More dangerously, it can also leverage the capabilities of other well-known attack tools such as Metasploit and Mimikatz," Sarkar explained.Identity card of one of the Chinese hackers (Courtesy: US Department of Justice)"In the hands of a person with malicious intent, be it an amateur, or a professional or a government, this tool can steal data, impersonate people (using stolen credentials), or even shut down facilities (by attacking cyber-physical capabilities).
The attacks might vary from simple mischief to a scary cybercrime, cyber espionage, cyber warfare, or even cyber terrorism," he added.China-based actors have used Cobalt Strike malware in several attacks to target the systems in Hong Kong and India.
The Chinese attackers allegedly gained unauthorised access into the systems of prominent electronic communications services and telecommunications providers for their operation.
The hackers used the data obtained from the telecommunication service providers to target government networks and individuals.Tibetan monk in India targetedThe charges filed by US prosecutors also reveal that Chinese attackers targeted the phone data of an India-based Tibetan monk in 2019.
The Chinese operators used a customised tool called 'SonarX' to store their harvested data.
The entries filed in their database showed that the hackers had information about the Indian phone connections used by the Tibetan monk, their chat contents, contacts and usage of digital platforms.Identity card of one of the Chinese hackers (Courtesy: US Department of Justice)China has been facing insurgencies in Tibet, and Tibetan monks may hold the key to future public movements in Tibet.
China has officially made it clear that the Tibet issue is extremely sensitive to the Chinese leadership, hinting that such attacks on Tibetan monks in India could be on directions of the Chinese Communist Party (CCP) leadership.The AttackersThe three top individuals involved in India operations have been identified as Chinese citizens Jiang Lizhi aka Blackfox, Qian Chuan aka Squall and Fu Qiang aka StandNY.
All three individuals work for a China-based technology firm called Chengdu 404 Network Technology.
Chengdu Technology has been also charged for running multiple computer-operated attacks against several countries, including the US and the UK.