Zhenhua Data, based in the south-eastern Chinese city of Shenzhen, compiled a database relying heavily on public open-source data. Unlike the Zhenhua Data leak, this Chinese attack offensively targeted the database servers by connecting to the Virtual Private Network (VPN) used by the Indian government. The court documents reviewed by India Today suggest that the Chinese attackers used both open market paid malware variants and customised self-developed programs in their operations.
In 2019, the conspirators compromised government of India websites as well as virtual private networks and database servers supporting the Government of India, the court document filed by acting US Attorney for the District of Columbia, Michael Sherwin. According to the indictment, they “used VPS PROVIDER servers to connect to an Open VPN network owned by the Government of India”.
The charges filed by Sherwin against Chinese citizens for offensive computer intrusions allege that attackers “installed Cobalt Strike malware on Indian government protected computers”.
Cobalt Strike is a readymade tool that is also used as a penetration testing tool but is often exploited by threat actors.Cobalt Strike allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. “Beacon helps the attacker to do many things as it is in-memory/file-less malware and can bypass Windows authentication, execute a payload on a remote host without writing any data to disk and steal credentials. More dangerously, it can also leverage the capabilities of other well-known attack tools such as Metasploit and Mimikatz.China-based actors have used Cobalt Strike malware in several attacks to target the systems in Hong Kong and India. The Chinese attackers allegedly gained unauthorised access into the systems of prominent electronic communications services and telecommunications providers for their operation. The hackers used the data obtained from the telecommunication service providers to target government networks and individuals.
Source: India Today
