A Chinese state-affiliated hacker group has purportedly claimed responsibility for targeting key offices within the Indian government, including what is presumed to be the Prime Minister's Office, alongside prominent businesses such as Reliance Industries Limited and Air India, as per a report by India Today.

This revelation stems from leaked data analysed by India Today's Open-Source Intelligence (OSINT) team.

Over the weekend, thousands of documents, images, and chat messages purportedly linked to I-Soon, an alleged cybersecurity contractor affiliated with China's Ministry of Public Security (MPS), were anonymously posted on GitHub. GitHub serves as a collaborative platform for developers working on open-source projects.

In response to the leak, I-Soon, in conjunction with Chinese authorities, has initiated an investigation to ascertain the circumstances surrounding the breach.

Two employees of the contractor informed the Associated Press that an internal meeting was held on February 21 to address the leak. Despite the setback, employees were reportedly instructed to continue operations as usual, with assurances that the incident would not significantly impact business operations.

The leaked data sheds light on a sophisticated network of covert hacking activities, spyware deployments, and intricate surveillance conducted by cyber threat actors affiliated with the Chinese government.

Machine-translated versions of the leaked internal documents, originally in Mandarin, reveal details of the attackers' tactics, targets, and exploits.

The range of targets extends from international entities like the North Atlantic Treaty Organization (NATO) and various European governments to Beijing's strategic partners such as Pakistan.

However, while the leak identifies targets of the cyber espionage operation, samples of the stolen data itself within the leaked documents was not found yet. Furthermore, the extent and duration of the attacks on individual targets remain unspecified in several cases.

Indian entities targeted

The leaked data identifies Indian targets such as the Ministry of Finance, the Ministry of External Affairs, and the "Presidential Ministry of the Interior," likely referring to the Ministry of Home Affairs.

During the peak of India-China border tensions between May 2021 and October 2021, advanced persistent threat (APT) or hacker groups reportedly acquired 5.49GB of data pertaining to various offices of the "Presidential Ministry of the Interior."

An internal report, purportedly prepared by iSoon, contains a translated section highlighting India as a primary focus area, particularly emphasising ministries like foreign affairs and finance. The report indicates a sustained interest in these sectors with the potential for long-term data extraction.

Allegedly breached user data includes information from the state-run pension fund manager, the Employees' Provident Fund Organisation (EPFO), as well as state telecom operator Bharat Sanchar Nigam Limited (BSNL), and private healthcare chain Apollo Hospitals.

Furthermore, Air India's stolen data encompasses details related to daily passenger check-ins, while approximately 95GB of India's immigration records from 2020, denoted as "entry and exit points data," were referenced in the leaked documents. Notably, 2020 witnessed heightened tensions between India and China following the Galwan Valley clash.

Taiwanese researcher Azaka, who initially brought attention to the GitHub leak, highlighted China's longstanding focus on India within the realm of advanced cyber espionage. According to Azaka, the stolen data encompasses a wide array of Indian organisations, including Apollo Hospitals, immigration records, the Prime Minister's Office, and population databases.

John Hultquist, the chief analyst at Google Cloud-owned Mandiant Intelligence, corroborated the authenticity of the leaked data, describing it as originating from a contractor engaged in global and domestic cyber espionage operations based in China. Hultquist highlighted the rarity of obtaining such comprehensive insights into intelligence operations.

Other targets

The hacker group implicated in the recent data leak has purportedly extended its cyber operations beyond India, claiming to have targeted various countries, including its longstanding ally Pakistan. Additionally, apparent targets encompass Nepal, Myanmar, Mongolia, Malaysia, Afghanistan, France, Thailand, Kazakhstan, Turkiye, Cambodia, and the Philippines, among others.

According to the leaked dataset, the Chinese hacker group allegedly acquired approximately 1.43GB of postal service data from Pakistan's "Anti-Terrorism Centre" located in the Punjab province between May 2021 and January 2022. The documents further reveal sanctioned surveillance activities by the Chinese government targeting Pakistan's Ministry of Foreign Affairs and telecommunications giant Zong.

Significant volumes of data were purportedly stolen from diverse entities, including Nepal Telecom, Mongolia's Parliament and police departments, a French university, and Kazakhstan's pension management authority. Furthermore, the hackers allegedly infiltrated the official systems of the Tibetan government-in-exile and its domain, Tibet.net.

For years, hacking groups with ties to China's Communist Party, such as Mustang Panda or APT41, have conducted malicious campaigns targeting organisations and countries worldwide, including the United States, to gather intelligence. In response, the US recently initiated an operation to counter a pervasive Chinese hacking campaign that compromised thousands of internet-connected devices.

This is not the first instance of China facing scrutiny for cyberattacks in India. In 2022, China-linked hackers reportedly targeted seven Indian power hubs. Similar attempts to breach India's power infrastructure were also observed in 2021.