Nine Indian firms fell prey to Chinese hackers in 2021: Report
Officially, the cybersecurity community recognises it as APT41, where APT stands for Advanced Persistent Threat.
Mumbai: At least nine Indian organisations fell prey to persistent cyber attacks by a state-sponsored Chinese hacker group in 2021, recent research has revealed. The research data shared exclusively with Hindustan Times shows that a large quantity of sensitive data was hacked and stolen by the group from the targetted servers. The hacker group, which has been active since at least 2007, is known by several names on the dark web, the most common being Winnti and Barium. Officially, the cybersecurity community recognises it as APT41, where APT stands for Advanced Persistent Threat.
Earlier this year, Group-IB, a Singapore-based cybersecurity company, conducted detailed and focused research into APT41’s activities from January to December 2021. The research report shows that India was among the biggest targets of APT41. According to Group-IB’s report, an Indian airline and eight other Indian websites were targeted by the hacker group last year, with just one prize in the crosshairs: data.
The research found that the websites were hacked using a method known as SQL injection, where malicious computer code is injected into a website to gain unauthorised access. ‘SQL’ is a programming language, called Structured Query Language, used in programming. Just as a good SQL command leads to productive results, malicious SQL injection leads to unauthorised access.
“With the help of SQL injections, the attackers managed to obtain various levels of access to several databases on the backend with information about credentials, phone numbers, emails of existing users, etc. APT41 also copied several files and managed to launch remote commands on compromised servers,” Nikita Rostovtsev, Threat Analyst at the Group-IB’s Advanced Persistent Threat Research Team, told HT.
The targetted websites belonged to organisations in different sectors in India, like government, logistics, industrial manufacturing, consulting, sports, engineering, education and transport. “Group-IB has also notified the Indian Computer Emergency Response Team (CERT-IN) about the Indian victims of APT41 described in our research,” Rostovtsev added.
Meanwhile, the Indian airline was one of many organisations in several countries hacked by APT41 using a hacking tool called Cobalt Strike, capable of detecting vulnerabilities in systems, generating malware and running phishing campaigns with a high success rate. While the tool itself is legitimately developed, malicious hackers, known as threat actors, have been using its variations for nefarious purposes for years.
“In the past, the tool was appreciated by cybercriminal gangs targeting banks, while today it is popular among various threat actors regardless of their motivation, including infamous ransomware operators,” the Group-IB report states.
The patiently executed campaign was observed to have gone through several stages, including reconnaissance for vulnerable servers, persistent injection of malicious code, evasion of the systems defence mechanisms using tools to hide from common threat detectors and finally, locating and extracting data.
Group IB also made an interesting observation in their research: APT41 seems to have fixed working hours. According to the report, the group starts working at 9 am and its activity stops around 7 pm in a time zone that corresponds to China. “In 2020, the US Department of Justice charged several individuals from China in connection with the activities attributed to the APT41. According to our observations, APT41 has two main goals: cyber espionage and financial gain,” Rostovtsev added.