The country needs to build up the required capability inhouse, besides joining multinational effort to police cyberattacks and develop foolproof standards with heavy penalties for violators
By Prasad Nallapati
India has set up an expert committee to look into alleged snooping by the Chinese company, Zhenhua Data Information Technology, after Indian Express reported its massive operations in the country and abroad.
The Shenzhen-based company, whose customers included Chinese intelligence and military agencies, targeted individuals and institutions in politics, government, business, technology, media, and civil society and monitored their digital footprint across social media platforms, papers, patents, bidding documents, commercial transactions, etc. Using such data, a threat analysis is produced, customized to the requirements of customers, through Artificial Intelligence (AI) tools.
The Company’s “Overseas Key Information Database” shows that it was tracking about 2.5 million individuals around the world, including at least 10,000 Indians. These include key bureaucrats in the Prime Minister Modi’s Office, Ministries of Commerce, Petroleum and Natural Gas, Home Affairs, and Defense, provincial governments in North-eastern states, World Bank, etc.
A copy of the cache of the database was retrieved from an unsecured system by the Australian cybersecurity firm, “Internet 2.0”, which shared part of it with several news organizations. The Washington Post, which examined the US section of the database, reported that at least 50,000 Americans figure in it. These include biographies and service records of aircraft carrier captains, trainee officers of the US Navy, real-time tweets originating from overseas US military installations and records of social media chatter among China watchers in Washington.
Founded in 2017, little is known about Zhenhua, which is believed to be an offshoot of a People’s Liberation Army (PLA) enterprise. Its partners include Huarong, which co-hosted a “military-civil fusion” trade conference last year in Beijing, and Global Tone Communication Technology, a subsidiary of a state-owned enterprise owned by the central propaganda department that claims to analyze 10 terabytes of social media and web content a day for government and business clients.
History of Chinese Cyber Ops in India
This is not the first such known case of Chinese monitoring of Indian networks. The history of China’s efforts to penetrate Indian networks goes back to the year 1998 when the internet was just being introduced in the country. They had then set up an internet service provider firm, named as “Now India”, with its links to parent company in Hong Kong shielded by several offshore firms in countries like Mauritius. Since then, Chinese companies have spread their control over Indian telecommunication networks through mobile phone operations, mobile apps, supply of hardware equipment and research organizations like Huawei, whose 5G solutions are now banned by several countries because of its links to the PLA.
Increase in China’s cyber activity after intrusions into Ladakh
The Chinese civilian and military intelligence organizations have now diverted many of the hacker groups associated with them to target Indian networks as the prospects of a military clash between the two increased following PLA’s intrusions into Indian territory.
According to a Singapore-based cybersecurity firm, CyFirma, there has been a 200 percent increase in cyberattacks from China since the beginning of June against India as the two are engaged in a serious military standoff in Ladakh. A host of companies like State Bank of India, ICICI Bank, Air India, Life Insurance Corporation of India, Nuclear Power Corporation, Indian Oil, Reliance Jio, Hindustan Aeronautics Ltd, Steel Authority of India were some of the targets. The systems of the Ministries of Foreign Affairs, Defense and Information and Broadcasting etc. also experienced fishing attacks.
These attacks are attributed to Chinese hacking groups `Gothic Panda’ (APT3) and `Stone Panda’ (APT10). The APT 3 group, according to cybersecurity firm Crowdstrike, was seen linked to the Chinese Ministry of State Security (MSS) entities in Guangzhou, through another firm called Boyusec. The Stone Panda group is associated with the MSS Tianjin Bureau. Zhang Shilong and GAO Qiang were found to be associated with these groups.
Maharashtra Police stated that there were more than 40,000 cyber probes or searches in one week in the middle of June this year for vulnerabilities in cyber systems relating to critical infrastructure, IT and Banking sectors. These attacks originated from Chengdu city in China.
The Cybersecurity company, The Next Web, disclosed on August 13 this year that the database of the Chinese micro-lending app, Moneed, had over 350 million records of Indian users. The database, stored on a server in China though the company claims of it being stored in Mumbai, had information on names, their phone numbers, apps installed on the phones, and their IP addresses. The company has another app on the Play Store, called MoMo, which works the same way as the Moneed. The permission list for that app said it can even control a phone’s vibration, connect and disconnect from WiFi networks, have full network access, modify a phone’s storage and read content on the phone, read contacts and modify them, and much more. The app takes access to users’ contact lists and uploads the same to its servers.
Chinese Hacker Activity Grew Multifold Worldwide During COVID Pandemic
The US charged on September 16 five Chinese nationals of APT 41 group for hacking more than 100 companies across the world relating to computer hardware, software development companies, telecom providers, video game developers, universities, etc. The ZDNet Cyber security firm, quoting court documents, said the countries affected include India, Pakistan, Vietnam, the US, Australia, Brazil, Chile, Hong Kong, Indonesia, Japan, Malaysia, Singapore, South Korea, Taiwan and Thailand. The group also compromised government computer networks in India and Vietnam. A FireEye report last year revealed how the group conducted both cyber-espionage for the Chinese regime but also intrusions for personal financial gain.
The five APT 41 members are Zhang Haoran (35), Tan Dailin (35), Jiang Lizhi (35), Qian Chuan (39) and Fu Qiang (37). The last three were employees of Chengdu 404 Network Technology, a front company that operated under the close supervision of Chinese officials. According to court documents, US officials intercepted online chats between Jiang and other Chinese hackers where the former touted knowing and operating under Gong An, a high-ranking official in the Chinese Ministry of Public Security.
The Chinese APT TA413 group, which was temporarily directed to COVID-19 themed economic espionage campaign in March this year, resumed focusing on its original targets of international Tibetan groups from end of July. Controlled by the Chinese intelligence agencies, the group was tasked to collect intelligence on Corona pandemic response and economic recovery plans of the US and Europe. According to Cybersecurity firm, Proofpoint, the group used a new malware family, dubbed “Sepulcher”, to access government and legislative bodies, research organizations and other economic agencies. The same malware is now seen being used against the Tibetan organizations.
Clash Between US and China for Technological Dominance
The latest in the ongoing battle over control of internet governance between the US and China are their respective new initiatives aimed at global data security. Foreign Minister Wang Yi launched on September 8 a Chinese initiative calling upon partnering nations to maintain an open and secure supply chain, and respect other countries’ cyber sovereignty. “Bent on unilateral acts, a certain country keeps making groundless accusations against others in the name of `clean’ networks and used security as a pretext to prey on enterprises of other countries who have a competitive edge,” Wang said.
This was in response to “Clean Network” programme that US Secretary of State Mike Pompeo unveiled last month (August 5), who said that it was aimed at protecting citizens’ privacy and sensitive information from “malign actors, such as the Chinese Communist Party.” More than 30 countries and territories such as Australia and Britain are participating in this program, which seeks to exclude Chinese telecom companies like Huawei, ZTE, Tencent, Alibaba, Baidu as well as apps, cloud service providers and undersea cables from their internet networks. The US also banned WeChat, TikTok, and their affiliated companies, besides imposing sanctions that restrict Huawei from procuring chips containing American technology.
These initiatives are just a warmup to a major clash coming up between the two giants over competing standards for core network technology, called “New Internet Protocol”, at the next meeting of the International Telecommunication Union (ITU) slated to be held in New Delhi in November this year.
Global Initiatives Against Cyberattacks
Japan is leading a massive cyber defense drill next month with the participation of over 20 countries including the US, UK, France, and the 10 ASEAN members for coordinated efforts to detect and defeat cyberattacks on critical infrastructure. Japan has designated 14 areas as critical infrastructure, including information and communications, aviation, ports, railroads, power grids, water works and finance.
In another move, a group of researchers from Europe, the US and Japan are proposing a “tech alliance” of democratic countries to respond to the Chinese government’s use of technology standards and its tech sector as instruments of state power abroad. According to the American news website, Axios, a blueprint was prepared by the Centre for New American Security, the Mercator Institute for China Studies in Germany, and the Asia Pacific Initiative in Japan to bring about digital privacy guidelines, secure supply chains and conduct joint research.
The plan, called “Common Code: An Alliance Framework for Democratic Technology Policy”, envisages setting up a new body which will have the following as the founding members, namely Australia, Canada, France, Germany, Italy, Japan, South Korea, Netherlands, United Kingdom, the US and the European Union. It has 14 specific recommendations aimed at securing and diversifying supply chains, protecting critical technologies, preserving research integrity, proactively shaping standards in ways that align with democratic values, and beefing up tech investment.
Conclusions
The above narrative gives an impression that India is not investing its resources well to protect its cyber networks despite the fact that the Chinese cyber threat is real, massive and all-pervasive. Almost all the discoveries of Chinese intrusions into Indian critical infrastructure were made by foreign cybersecurity firms and brought to the notice of New Delhi. Even the cyberattack on Kudankulam nuclear power plant in Chennai in October last year by North Korean hackers was reported by an Australian cybersecurity consultant.
Banning of 118 mobile apps of Chinese companies and setting up a committee to look into allegations of spying by Zhenhua are more of knee-jerk responses. What is needed a more comprehensive 24/7 real-time auditing of the networks of the critical infrastructure. The country needs to build up the required capability inhouse, besides joining multinational effort to police cyberattacks and develop foolproof standards with heavy penalties for violators.
(Prasad Nallapati is President of the Hyderabad-based think tank, Centre for Asia-Africa Policy Research, and former Additional Secretary to the Govt of India)