### CYBER THREAT ANALYSIS By Insikt Group® **CHINA** September 21, 2021 # China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government ----- Chinese state-sponsored intrusions targeting news outlets is not a recent phenomenon. In 2013, the New #### Executive Summary York Times, the Washington Post, and Bloomberg News were [targeted by a Chinese group in a widespread](https://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-of-media-hacked-by-the-chinese.html) India continues to bear the brunt of hostile cyber intelligence-gathering operation following a series of operations from Chinese state-sponsored groups. published articles that were perceived as presenting Earlier this year, Insikt Group [documented a RedEcho](https://www.recordedfuture.com/redecho-targeting-indian-power-sector/) China unfavorably. Subsequently in 2014, pro-democracy campaign targeting India’s critical national infrastructure news outlets in Hong Kong were [targeted during the](https://www.wsj.com/articles/BL-CJB-22778) following a rapid deterioration in bilateral relations after Umbrella Movement protests. TAG-28’s Winnti campaign both countries clashed on the China-India border. We targeting BCCL is the latest in a long line of targeted also recently identified renewed RedFoxtrot operations intrusions against international media outlets. targeting an Indian state-owned enterprise involved in the nuclear, space, and defense sectors. Following this theme of Chinese targeting of Indian **Key Judgments** entities, we have identified further suspected intrusions - TAG-28 highly likely targeted UIDAI due to targeting the Indian media conglomerate Bennett its ownership of the Aadhaar database. Bulk Coleman And Co Ltd (BCCL), commonly known as “The personally identifiable information (PII) data sets Times Group”; the Unique Identification Authority of India are valuable to state-sponsored threat actors. (UIDAI); and the Madhya Pradesh Police department. Likely uses of such data include, but are not The UIDAI is the Indian government agency responsible limited to, identifying high-value targets such as for the national identification database, more commonly government officials, enabling social engineering called “Aadhaar”, which contains private biometric attacks, or enriching other data sources. information for over 1 billion Indian citizens. These - Given the reach of The Times Group publications intrusions were conducted by an activity group we track [and their consistent reporting on the “India](https://economictimes.indiatimes.com/topic/India-China-war) using a temporary designation, TAG-28[1]. [China war”, TAG-28’s targeting of BCCL is likely](https://economictimes.indiatimes.com/topic/India-China-war) motivated by wanting access to journalists and their sources as well as pre-publication content [of potentially damaging articles focusing on](https://economictimes.indiatimes.com/news/defence/view-china-turkey-and-pakistans-unholy-nuclear-nexus-and-its-global-ramifications/articleshow/80579631.cms) China or its leadership. - It is less likely that TAG-28 would gain access to media entities to interfere with publishing platforms by changing or disrupting articles [supporting Chinese information operations.](https://www.news18.com/news/india/india-is-the-next-target-of-chinese-misinformation-machinery-and-we-are-already-falling-prey-to-it-2680317.html) - As of early August 2021, Recorded Future data shows a 261% increase in the number 1 Insikt Group publicly names a new threat activity group or campaign, of suspected state-sponsored Chinese cyber such as RedFoxtrot, typically when analysts have data corresponding operations targeting Indian organizations and to at least 3 points on the Diamond Model of Intrusion Analysis with at least medium confidence. We will occasionally report on significant companies already in 2021 compared to 2020. activity using a temporary activity clustering name such as TAG-28, This follows an increase of 120% between where the activity is new and significant but doesn’t map to existing 2019 and 2020, demonstrating China’s growing groupings and hasn’t yet graduated or merged into an established strategic interest in India over the past few years. activity group. ----- _Figure 1: Diamond model representation of TAG-28 TTPs (Source: Recorded Future)_ ----- _Figure 2: TAG-28 infrastructure used to communicate with BCCL (Source: Recorded Future)_ #### Threat Analysis Since early 2020, we have observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups, as illustrated through Insikt Group reporting on [RedEcho,](https://www.recordedfuture.com/redecho-targeting-indian-power-sector/) [RedFoxtrot, TAG-26[2], and](https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/) TAG-27[3]. We used a combination of adversary command and control (C2) detection techniques and Recorded Future Network Traffic Analysis (NTA) data to identify patterns of suspicious network traffic between 2 Winnti malware C2 servers and infrastructure registered to BCCL. ##### Targeting of Bennett Coleman And Co Ltd Between February and August 2021, Insikt Group identified 4 IPs assigned to BCCL in sustained and substantial network communications with 2 Winnti C2 servers (185.161.209[.]87 and IP 86.107.197[.]182) and a third probable Cobalt Strike C2 178.157.91[.]144. Although we cannot confirm what data specifically was accessed, we observed approximately 500 MB of data being exfiltrated from the BCCL network to the malicious infrastructure. 2 Only available to Recorded Future clients. 3 Only available to Recorded Future clients. The identified targeted infrastructure is likely operated by BCCL for the following reasons: - 2 of the targeted IPs, 103.220.14[.]5 and 103.220.14[.]114, [are advertised by autonomous system (AS) AS135245,](https://bgp.he.net/AS135245#_prefixes) [registered to Bennett Coleman And Co Ltd.](https://bgp.he.net/AS135245#_whois) - Multiple BCCL domain names are associated with 2 of the targeted IPs (103.220.14[.]5 and 14.141.124[.]3). [• Targeted IP 103.220.14[.]5 serves an SSL certificate for](https://beta.shodan.io/host/103.220.14.5/history#443) BCCL domain *.timesnetwork[.]in. - A CheckPoint firewall device using IP 103.220.14[.]5 [on TCP port 264 returns the device hostname TIMES-](https://beta.shodan.io/host/103.220.14.5/history#264) TRADEHOUSE-SM.timesgroup[.]com. - A likely DNS resolver using IP 14.141.124[.]3 on UDP port 53 returns the hostname MDC-LLB-F5-01.timesgroup[.] com. BCCL, commonly known as “The Times Group”, is a privately owned, Mumbai-headquartered multimillion-dollar company that publishes one of the world’s largest English-language newspapers by circulation — The Times of India. BCCL operates across multiple mediums, including publishing, ​television, internet, and [radio. The Times of India and its subsidiaries frequently publish](https://economictimes.indiatimes.com/topic/India-China-war) [analyses on India-China tensions, and in early March 2021, they](https://economictimes.indiatimes.com/topic/India-China-war) were among several Indian media outlets that [covered Insikt](https://timesofindia.indiatimes.com/business/india-business/10-power-assets-mumbai-tamil-nadu-ports-came-under-redecho-cyberattack/articleshow/81337328.cms) Group’s public reporting of RedEcho targeting the Indian power sector. ----- _[Figure 3: Indian Navy undertaking exercise in Indian Ocean Region: this article describes](https://economictimes.indiatimes.com/news/defence/indian-navy-undertaking-mega-exercise-in-indian-ocean-region/articleshow/80790358.cms)_ _a planned Indian naval exercise that was due to take place when China was making_ _increasing forays into the Indian Ocean region as part of its military exercises. Published_ _[February 10, 2021. (Source: India Times)](https://economictimes.indiatimes.com/news/defence/indian-navy-undertaking-mega-exercise-in-indian-ocean-region/articleshow/80790358.cms)_ [On multiple occasions (1,2), Chinese state-sponsored groups](https://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-of-media-hacked-by-the-chinese.html) (APT41, APT12) have targeted the media sector, perhaps most prominently in 2013 when APT12 [compromised The New York](https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all) Times. Based on comprehensive reporting, it is also [likely that](https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html) APT41 has an operational scope to track individuals and conduct surveillance of media entities. The New York Times [suggests](https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all) the timing of the 2013 APT12 attack coincided with reporting on Chinese leadership figures, pointing to a potential flashpoint. The majority of the observed exfiltration activity coincided with [reports in The Economic Times of a US Navy “freedom](https://economictimes.indiatimes.com/news/defence/in-unusual-move-us-conducts-freedom-patrol-in-indian-eez/articleshow/81980800.cms) patrol” in the Indian Ocean. The Economic Times (a subsidiary [of The Times Group) published 2 articles on its “​​India China](https://economictimes.indiatimes.com/topic/India-China-war) [war” subsection just days before Insikt Group detected the](https://economictimes.indiatimes.com/topic/India-China-war) initial intrusion activity targeting BCCL. Both of the articles, shown in figures 3 and 4, as well as more recently [published](https://economictimes.indiatimes.com/news/defence/view-india-should-expect-intermittent-border-clashes/articleshow/84545871.cms) pieces, could be viewed as being antagonistic towards the Chinese government. While the timing of the initial intrusion and exfiltration activity coinciding with notable naval-related articles is circumstantial evidence of possible intent, it remains plausible that TAG-28’s objectives may have included targeting the media group to garner insight into Indian ocean naval matters or perceived anti-China reporting. _[Figure 4: View: China, Turkey and Pakistan’s unholy nuclear nexus and its global](https://economictimes.indiatimes.com/news/defence/view-china-turkey-and-pakistans-unholy-nuclear-nexus-and-its-global-ramifications/articleshow/80579631.cms)_ _[ramifications: this article calls out China’s nuclear relationships with Turkey and Pakistan](https://economictimes.indiatimes.com/news/defence/view-china-turkey-and-pakistans-unholy-nuclear-nexus-and-its-global-ramifications/articleshow/80579631.cms)_ _as a serious threat to global security and calls for strong punitive measures against Beijing._ _The article also cites that in February 2020, the Indian Navy intercepted a ship destined for_ _Pakistan from China with hardware believed to be used for nuclear industries. Published_ _[February 11, 2021. (Source: India Times)](https://economictimes.indiatimes.com/news/defence/view-china-turkey-and-pakistans-unholy-nuclear-nexus-and-its-global-ramifications/articleshow/80579631.cms)_ ##### Targeting of the Unique Identification Authority of India While investigating the infrastructure used in the BCCL compromise, we identified an ongoing compromise of the UIDAI, which oversees India’s Aadhaar ID card system. Between June 10 and at least July 20, 2021, 2 IPs registered to UIDAI were observed communicating with the same suspected Cobalt Strike C2 server used to target BCCL, 178.157.91[.]144. Data transfer sizes were comparatively modest from the UIDAI network based on our visibility. Less than 10 MB of data was egressed with an ingress of almost 30 MB, possibly indicating the deployment of additional malicious tooling from the attacker infrastructure. UIDAI is the Indian government agency responsible for the Aadhaar national identification database. It contains private, identifying, and biometric information for over 1 billion Indian [citizens. Some view the Aadhaar database as controversial: the](https://www.huffpost.com/archive/in/entry/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472) sheer amount of personal data held by the system makes it an attractive target to both nation-state and criminally motivated [adversaries. The Aadhaar system has a history (1, 2, 3) of data](https://www.huffpost.com/archive/in/entry/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472) leaks and compromise, including [rogue software exploiting](https://www.huffpost.com/archive/in/entry/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472) the system to create false identity cards and an unsecured application programming interface (API) giving complete visibility of the database. ----- TAG-28 likely targeted UIDAI due to its ownership of the Aadhaar database. Large PII data sets are valuable to both nationstate and criminal threat actors for multiple purposes, including for potentially identifying high-value intelligence targets such as government officials, enabling surveillance, conducting social engineering attacks, or enriching other data sources. ##### Targeting of Madhya Pradesh Police Using Recorded Future NTA data, we [identified a Madhya](https://app.recordedfuture.com/live/sc/1KrdOaxnpi4e) Pradesh Police (MPP) IP communicating with Winnti C2 IP 185.161.209[.]87 over port 80 on June 1, 2021. The MPP IP serves a State Crime Records Bureau (SCRB) website (scrbofficial. mppolice.gov[.]in), which provides links to various web and mobile applications operated by SCRB. Insikt Group later observed additional network activity between another SCRB IP, 210.212.145[.]100, and 185.161.209[.]87, starting July 27 to at least August 9, 2021. Based on limited visibility, we observed less than 5 MB of data transfer between the MPP and the Winnti server during the considered time frame. Madhya Pradesh Chief Minister Shivraj Singh Chouhan was [critical of China after the](https://www.thehindu.com/news/national/other-states/mp-chief-minister-shivraj-singh-chouhan-calls-upon-people-to-boycott-chinese-products/article31875590.ece) [violent border clashes with Chinese](https://www.thehindu.com/news/national/indian-army-says-20-soldiers-killed-in-clash-with-chinese-troops-in-the-galwan-area/article31845662.ece) [troops in the Ladakh region in June 2020, calling for the state’s](https://www.thehindu.com/news/national/other-states/mp-chief-minister-shivraj-singh-chouhan-calls-upon-people-to-boycott-chinese-products/article31875590.ece) residents to boycott Chinese products. Citizens and news outlets [were quick to point out a 2016 tweet in which Chouhan compared](https://www.freepressjournal.in/india/amid-stand-off-with-china-shivrajs-old-tweet-comparing-bjp-and-communist-party-of-china-goes-viral) India’s ruling Bharatiya Janata Party (BJP) to the Chinese Communist Party (CCP), stating that there were “tremendous similarities between the two parties”, which shows his clear change in stance on China. ##### Malware and Infrastructure Insikt Group identified 2 Winnti C2s (185.161.209[.]87 and 86.107.197[.]182) and a probable Cobalt Strike C2 (178.157.91[.]144) operated by TAG-28. Winnti malware has historically been used by several Chinese state-sponsored groups, including APT41/Barium and APT17, and is [commonly](https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer) [associated with activity linked to multiple](https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/) groups of loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS). In September 2020, the US Department of Justice (DoJ) charged 5 Chinese nationals linked to APT41 that had access to Winnti malware for conducting widespread intrusion operations targeting over 100 victims globally. Clustering all activity featuring the use of the Winnti malware to a single “Winnti” activity group is insufficient given the shared capability across different groups and the varying targeting remits and modus operandi of Winnti users. _Table 1: Malicious infrastructure used by TAG-28 in this campaign_ |C2 IP|First Identified|Ports|Hosting Provider|Col5| |---|---|---|---|---| |Winnti 185.161.209[.]87|March 11, 2021|80, 443, 8080, 8443|Zemlyaniy Dmitro Leonidovich (DeltaHost)|| |Winnti 86.107.197[.]182|April 8, 2021|443, 8443|MVPS LTD|| |Suspected Cobalt Strike 178.157.91[.]144|June 10, 2021|443, 53|MVPS LTD|| |Table 1: Malicious infrastruct|ure used by TAG-28 in this ca|mpaign||| Pivoting on the C2 IPs, we identified several linked domains. All of the domains were registered on December 30, 2020 using the registrar Gandi SAS, shared the same apex domain “samuelblog”, and used “KE” (denoting Kenya) for the registrant country. - samuelblog[.]me - samuelblog[.]site - samuelblog[.]info - samuelblog[.]website - samuelblog[.]xyz A further 4 subdomains were also identified resolving to the same C2 infrastructure listed in Table 1. Based on the subdomain names, we assess they were likely impersonating hostnames used for database access, admin panel, or other similar services. _Figure 5: Recorded Future NTA event involving Madhya Pradesh Police IP and Winnti C2 185.161.209[.]87. (Source: Recorded Future)_ ----- |Col1|Sub Domain|IP Resolved|Col4| |---|---|---|---| ||db1.samuelblog[.]me|185.161.209[.]87|| ||​db1.samuelblog[.]site|185.161.209[.]87|| ||date.samuelblog[.]info|2.56.213[.]86|| |||178.157.91[.]144|| ||admin.samuelblog[.]xyz|178.157.91[.]144|| |Table 2: TAG-28 C2 subdomains|Table 2: TAG-28 C2 subdomains||| ##### Cobalt Strike C2 Over DNS Between January 4 and February 25, 2021, the domain ns1. samuelblog[.]info was likely configured as a Cobalt Strike C2. During this period, an NS record for this domain pointed at date.samuelblog[.]info, which subsequently resolved to 2 IPs, 2.56.213[.]86 and 178.157.91[.]144, both hosted with MVPS Ltd. Using Passive DNS data, we found several suspicious DNS A record queries for variants of the subdomain api.[data resembling hexadecimal notation].ns1.samuelblog[.]info. Where the hex data was longer than 24 characters, the data was split into runs of 56 characters separated by a period. Further research highlighted several other domains displaying a similar pattern (api.[hex data].ns1.); the majority of IPs resolved by these domains had triggered Cobalt Strike C2 server detections in the Recorded [Future Platform. Further to this point, a tutorial video created by](https://www.youtube.com/watch?v=zAB5G-QOyx8) Raphael Mudge, the creator of Cobalt Strike, shows DNS beacon traffic matching the pattern observed above. Given these factors, we determined the suspicious DNS traffic for samuelblog[.]info was likely a result of its use as a Cobalt Strike C2. ##### Adversary Based on our visibility, Insikt Group strongly believes TAG-28 is a Chinese state-sponsored threat activity group tasked with gathering intelligence on Indian targets. Our attribution to China is predicated on their use of Winnti malware, which is exclusively shared among several Chinese state-sponsored activity groups, and their targeting of at least 3 distinct Indian organizations in this campaign. As we continue to track TAG-28’s operational activity, we will gather additional referential data points that will allow us to build on our current understanding of their capabilities and objectives and highlight overlaps with existing activity groups or graduate TAG-28 to a full-fledged “Red” group like RedEcho or RedFoxtrot. Additional data points, such as persona handles and further upstream attacker infrastructure, would support actor attribution efforts. ----- #### Outlook This research highlights China’s continued strategic and tactical interest in India-based organizations, both in the private and public sectors. The 2020 border skirmishes and the subsequent economic sanctions levied by the Indian government banning Chinese mobile applications from the Indian market have resulted in increased tensions between the 2 nations. Gaining access and insight into Indian government departments and organizations will therefore likely remain of paramount interest to Chinese state-sponsored actors for the foreseeable future, as cyber operations play a key role in gathering intelligence on military technology or national security matters, in addition to political and foreign relation developments. While we cannot confirm the intent behind the observed intrusions, an Indian media entity with broad reach across the Indian population and the Aadhar system both present valuable [targets for surveillance, espionage, or information operations.](https://www.news18.com/news/india/india-is-the-next-target-of-chinese-misinformation-machinery-and-we-are-already-falling-prey-to-it-2680317.html) Although several China-based groups have migrated over to using Shadowpad and other relatively new malware families, this campaign highlights that established tooling such as Winnti and offensive security tools (OST) like Cobalt Strike still prove highly effective for China-nexus threat groups to conduct targeted intrusions. #### Mitigations Conduct the following measures to detect and mitigate activity associated with TAG-28 activity. - Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — external IP addresses and domains associated with TAG-28. Clients can view a list of these in the appendix of the clients-only version of this report. - Clients can use Recorded Future Hunting Packages to hunt and detect malware families used by TAG-28. - We proactively detect and log malicious server configurations in our Command and Control Security Control Feed. The C2 list includes malware and tools used by TAG-28 and Chinese state-sponsored threat activity groups, such as Winnti, PlugX, and AXIOMATICASYMPTOTE. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions. - Recorded Future Threat Intelligence, Third-Party [Intelligence, and SecOps Intelligence module users can](https://www.recordedfuture.com/license-options/) monitor real-time output from NTA and Malware Analysis analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners. - Ensure operating systems and software are up to date with the latest patches to protect against known vulnerabilities. ----- #### Recorded Future Threat Activity Group and Malware Taxonomy Recorded Future’s research group, Insikt, tracks threat actors and their activity, focusing on state actors from China, Iran, Russia, and North Korea, as well as cybercriminals — individuals and groups — from Russia, CIS states, China, Iran, and Brazil. We emphasize tracking activity groups and where possible, attributing them to nation state government, organizations, or affiliate institutions. Our coverage includes: **ADVERSARY** - Government organizations and intelligence agencies, their associated laboratories, partners, industry collaborators, proxy entities, and individual threat actors - Recorded Future-identified, suspected nationstate activity groups, such as RedAlpha, RedBravo, Red Delta, and BlueAlpha and many other industry established groups - Cybercriminal individuals and groups established and named by Recorded Future - Newly emerging malware, as well as prolific, persistent commodity malware Insikt Group publicly names a new threat activity group or campaign, such as RedFoxtrot, when analysts typically have data corresponding to at least three points on the Diamond Model of Intrusion Analysis with at least medium confidence. We will occasionally report on significant activity using a temporary activity clustering name such as TAG-21 where the activity is new and significant but doesn't map to existing groupings and hasn't yet graduated or merged into an established activity group. We tie this to a threat actor only when we can point to a handle, persona, person, or organization responsible. We will write about the activity as a campaign in the absence of this level of adversary data. We use the most widely used or recognized name for a particular group when the public body of empirical evidence is clear the activity corresponds to a known group. Insikt Group uses a simple color and phonetic alphabet naming convention for new nation-state threat actor groups or campaigns. The color generally corresponds to that nation’s flag colors, with more color/nation pairings to be added as we identify and attribute new threat actor groups associated with new nations. For newly identified cybercriminal groups, Insikt Group uses a naming convention corresponding to the Greek alphabet. Where we have identified a criminal entity connected to a particular country, we will use the appropriate country color, and where that group may be tied to a specific government organization, tie it to that entity specifically. Insikt Group uses mathematical terms when naming newly identified malware. **INFRASTRUCTURE** **CAPABILITY** **VICTIM** ----- About Recorded Future Recorded Future is the world’s largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable. In a world of ever-increasing chaos and uncertainty, Recorded Future empowers organizations with the visibility they need to identify and detect threats faster; take proactive action to disrupt adversaries; and protect their people, systems, and assets, so business can be conducted with confidence. Recorded Future is trusted by more than 1,000 businesses and government organizations around the world. Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture. -----