India is dangerously unprepared for Chinese cyber-war. AIIMS ransomware attack shows why

Eight hundred acres of living theatre had been lovingly produced to allow the emperor to traverse his kingdom and the world without leaving home: The Garden of Eternal Brightness contained the temples of Tibet and Mongolia, the garden of Hangzhou, and a street scene with actors playing shopkeepers, entertainers and even beggars. The Western gardens, designed by Jesuit missionaries, included faux-baroque palaces and monuments modelled on the greatest European architecture.

Then, in 1860, French and British armies marched into Beijing, pillaging the Garden of Eternal Brightness and stealing royal treasures, including a Pekinese dog they nicknamed “Looty.” Around 10 years ago, in 2013, when Chinese President Xi Jinping came to power, he took top colleagues on a museum tour recording those events—and claimed the Communist Party alone could guard China’s independence.

The Ministry of State Security—China’s principal intelligence service—targeted cutting-edge research on biotechnology, robotics and applied physics at universities and even industrial conglomerates. The campaign was part of a secret war authorised by Xi to secure the “great national revival” he promised.

Also read: Narco test for Aftab Poonawalla won’t help. It’s bad-faith science masking lazy police work

The world of ‘Wicked Rose’

For more than two weeks now, the All India Institute of Medical Sciences (AIIMS) has been struggling to restore data lost in a ransomware attack. The data was said to have been obliterated by malware developed inside Chinese intelligence-controlled hacking networks. Experts are uncertain about the identity and motives of the attackers—which could range from ransom and blackmail to political signalling—but the collapse of AIIMS digital infrastructure demonstrates India is dangerously underprepared for the threat.

The story began in a one-room tenement—laundry hung out to dry next to the window sill—in Sichuan. Tan Dailin—known to his virtual friends as ‘Wicked Rose’—had dropped out of the Sichuan University of Science and Engineering. Together with other bored but technically-skilled friends—Tiang ‘Blackfox’ Lizhi, Qian ‘Squall’ Chuan, Fu ‘StandNY’ Qiang, as well as independent hackers like Zhang Haoran—the group began cracking computer networks worldwide, in search of adventure and profit.

In coming years, as US prosecutors noted in 2019, the hacking network would target more than 100 companies worldwide. In some cases, they demanded ransom, like at AIIMS. In others, stolen data was sold to competitors. The network also engaged in ‘cryptojacking’, where hijacking networks mine cryptocurrencies.

Tiang’s circle flowered into a company called Chengdu 404, which specialised in network security tools, data analytics and mobile phone forensics. Among the company’s best-selling products was SonarX, which allowed these clients to harvest and analyse open-source data like social media posts. But Chengdu 404 did not advertise its star product—a hacking group called Advanced Persistent Threat 41 (APT41), which enabled it to exploit vulnerabilities in target networks.

Like many of its counterparts, Chengdu 404 advertised that it worked with “public security, military and military enterprises”. Chengdu 404’s website also proclaimed that the company was driven by “patriotic spirit”.

Tiang—an email discovered by the Federal Bureau of Investigation (FBI) shows—explained just what that meant to one freelance hacker. To reassure the hacker that he wouldn’t get into trouble with authorities, Tiang urged him not to “touch domestic stuff anymore”. Chengdu 404, he went on, had excellent ties to China’s intelligence services, which would provide protection.

FBI investigators also determined that APT41 “compromised foreign government computer networks in India and Vietnam”.  The target of the attack on India has never been revealed.

Boston-based cyber-research firm Recorded Futures revealed that a cyber-espionage ring it calls RedEcho targeted Indian power infrastructure during the crisis of 2021. The government said it detected the power-sector attacks and that no damage to critical infrastructure was caused. The attacks, however, have continued, expanding to include power-sector targets across northern India.

Also read: The ‘shame weapon’ Pakistani politicians use is lethal, can give birth to a religious tyrant

The global cyber-war

Ever since nation-States have existed, they have sought to steal secrets of the other. The US, which pioneered computer-era electronic intelligence-gathering together with the United Kingdom—carried out 231 offensive cyber-operations in 2011 alone, documents leaked by former National Security Agency (NSA) official Edward Snowden revealed. The attack on Iranian nuclear centrifuges in 2010, attributed to Israel, significantly retarded the country’s nuclear programme—well short of resorting to war.

FBI exposure of Chengdu 404 did little to deter the Ministry of State Security. Hainan Technologies continued to attempt penetration of key institutions in the US by using custom malware codes named Murkytop and Baldflick. In most cases, investigation records suggest, the attackers used simple methods like phishing e-mails to lure unsuspecting users into enabling the installation of malware.

Less-powerful nations, scholar Magnus Hjortdal has noted, “have much to gain from an offensive and aggressive cyber-capability”. “The Chinese cyber deterrence is a strategically intelligent solution that is quite cheap, compared to a full-scale conventional military.” Like China, Russia works closely with cyber criminals—offering impunity in return for intelligence cooperation.

North Korean hackers were discovered to have been stealing Indian nuclear secrets in 2019. Those hackers targeted laptops held by former Bhabha Atomic Research Centre chief Anil Kakodkar and former Atomic Energy Regulatory Board head S.A. Bhardwaj. The North Korean attack was preceded by patient digital surveillance, which established that only two laptops had access to both the internet and internal systems.

From the evidence available, it is clear India isn’t an innocent bystander in this cyber war. IT security company Trend Micro identified multiple attacks on military and government targets in China, Pakistan, Nepal and Bangladesh by an Indian hacking network called Sidewinder. Lookout, another research firm, has claimed Indian hackers have used a new Android tool to target networks in China and Pakistan.

Also read: Benjamin Netanyahu has won elections, but Israel has lost the battle for its own soul

India remains underprepared

Even though Indian officials have long been aware of the country’s vulnerabilities to hostile, offensive operations, the AIIMS attack demonstrates a dangerous gap in implementation. Following attacks on petrochemicals infrastructure earlier this year, the National Security Council Secretariat hosted a boot camp simulating a full-scale cyber assault on critical infrastructure. The exercise in April, though, clearly didn’t lead to the message permeating throughout government institutions.

The vulnerabilities of computer networks aren’t exactly news. In 1994, teenager Richard ‘Datastream Cowboy’ Pryce broke into the NASA database. In 1998, two California schoolchildren succeeded in penetrating the US Department of Defense computer networks.

Fixing the problem, though, involves resources. Expert Zi Yang has reported that China plans to set up at least four full-scale cybersecurity institutions to meet its needs for trained personnel. India continues to grapple with shortages of cybersecurity personnel. Moreover, the structure of public-sector organisations doesn’t lend itself to drawing top talent.

As India becomes ever-more reliant on networks to power its progress, the damage a successful attack can inflict is sharply increasing. The AIIMS attack ought to warn of the future price of failing to make the right investments today.

The author is National Security Editor, ThePrint. He tweets @praveenswami. Views are personal.

(Edited by Zoya Bhatti)