From attacks on national grids in 2021 to the AIIMS cyberattack last year, every incident has the direct or indirect involvement of private players batting and spying for China, intelligence sources told News18. Third-party apps and private players interact with Chinese servers, sending data collected by these players, which have government access
Following the Galwan Valley clash and the Covid pandemic, India’s critical infrastructure is facing multiple cyberattacks from China.
From attacks on national grids in 2021 to the AIIMS cyberattack last year, every incident has the direct or indirect involvement of private players batting and spying for China, intelligence sources told News18.
These third-party apps and private players interact with Chinese servers, sending data collected by these players, which have government access.
TikTok, PUBG, WeChat, UC Browser, Club Factory, and more than 200 similar apps were banned by India after the same modus operandi was observed. According to a senior intelligence official involved in tracking cyberthreat-related activities, such companies have pumped multiple applications into India to collect data.
Chinese whispers
In 2020, the Mumbai power outage was another instance where distribution centres were targeted through malware.
In the matter of cyberattacks on grids, the analysis and investigation established that Chinese groups were behind them.
According to a report released two years ago by the American cybersecurity intelligence company Recorded Future, malware planted in grid systems was interacting with Chinese spies.
Last year’s cyberattack on AIIMS servers underscored the need to declare health as critical infrastructure. AIIMS faced a cyberattack that prompted changes in various systems. It was found that groups suspected to be based in one of India’s neighbouring countries, likely China, were behind the breach.
In fact, the world’s biggest data leak till 2023 was from India where 81.5 crore Indians’ data was compromised and it also had a Chinese link.
It is not that Indian agencies are unaware of this racket. Various companies have been drawn into Indian cyberspace, collecting data, spying, and transferring information to Chinese servers. An intelligence report revealed that these private companies, through malware or by granting access, collect data from Indian citizens, which is found to interact with government-sponsored Chinese servers.
One intelligence agency’s analysis showed that an application had malicious code and acquired a host of critical permissions that could be misused to compromise user data for surveillance through cameras/microphones, location tracking, and malicious network activities.
“Such apps are detrimental to the sovereignty and integrity of India and can pose serious dangers to the Indian security grid. The inputs were shared with us, and immediate action was taken without delay from the government,” the analysis stated.
Similarly, another report stated that applications are collecting data and safely dumping it in Chinese servers. The volume of data is so high that it has been saved in different servers situated in different locations.
What experts say
While there is a massive threat due to this modus operandi, which allows innocent users to inadvertently share data with Chinese groups, experts warn that hackers could use this data to manipulate or sabotage critical infrastructure.
“When third-party companies collect data and send it to Chinese servers, it creates a serious security issue. China has laws that require businesses within its jurisdiction to cooperate with the government, which could lead to sensitive data — such as government, defence, or infrastructure information — being accessed. It’s not just about espionage, the danger is that hackers could use this data to manipulate or sabotage critical infrastructure,” said Ruchin Kumar, vice president (South Asia), at Futurex, a USA-based data security solutions company, in an interview with News18. “Imagine an attack that disrupts services we all depend on — like power grids or healthcare systems. That’s the kind of risk we’re facing.”
According to Koushik Pal, a threat researcher at CloudSEK, private firms operating under the guise of legitimate security services are often complicit in covert surveillance and data mining, creating a dangerous nexus between technology and invasive monitoring.
“The recent I-SOON leak has exposed a troubling reality — some private security firms that we trust to safeguard our information are functioning as covert surveillance networks, collecting sensitive data from both governments and ordinary citizens,” Pal said. “Countries that have institutionalised cyberwarfare are increasingly targeting other nations of interest. Recently, we have observed that China may be using hacking competitions, like the Zhujiang Cup, as covert intelligence-gathering operations, with participants targeting real-world networks under the guise of cybersecurity training.”
Recent investigations by his company’s TRIAD team have uncovered a sophisticated phishing infrastructure managed by Chinese state-sponsored threat actors, targeting Indian citizens on a mass scale. High-level malware campaigns, including Android spyware and banking trojans, further amplify the risk, with threat actors disguising them as legitimate apps.
“We have also discovered a fake EPFO login application communicating with one of the servers in the phishing cluster. Our findings indicate state-sponsored espionage and large-scale PII harvesting by Chinese entities, following tactics observed in groups like TAG-28 and APT41, as seen in the I-SOON leaks,” Pal stated.
Ruchin Kumar stated that there are several steps India can take to protect its infrastructure from such cyberattacks. “First, we need strong data localisation laws to ensure that sensitive data remains within our borders, allowing us to maintain control over it. Second, we should tighten cybersecurity frameworks and regulations. Third, it’s all about collaboration. The government and private companies need to work together more closely, sharing threat intelligence in real-time so we can detect and stop attacks before they cause damage,” he said.
