Recent Cyber Attacks With Alleged Chinese Involvement That Targeted India’s Critical Infrastructure

Speculations are rife that following the Galwan clash along Indo-China border, India has become a recurrent target for cyber offensives allegedly launched by its hostile neighbor. China, however, has time and again dismissed these accusations.

A suspected Chinese malware attack caused a power outage in Mumbai in October 2020

A suspected cyberattack on the All India Institute of Medical Sciences (AIIMS) in Delhi has compromised personal health data of millions of patients, which was likely sold off on dark web. Reports allege Chinese involvement in the attack that targeted data of VVIPs, including politicians and celebrities.  

A report published by India Today revealed that a total of five servers were targeted by Chinese hackers and the extent of data leak is being investigated. The breach was detected last week on Wednesday morning, and is expected to have led to a data compromise of at least three to four crore patients. 

"With the server being down, the OPD and sample collection were handled manually but the sample system for those who do not have a Unique Health Identification were affected," an official source told PTI last week, adding that as each sample collected requires a barcode for tracking, the server going down has led to very few samples being collected. Patient care services in the emergency, outpatient, inpatient, and laboratory departments are being handled manually as the servers have remained defunct for nearly a week

The hackers have allegedly demanded a random of Rs 200 crore in cryptocurrency from AIIMS, as per a report on India Today. Data analytics reveal more than 1,600 searches on the dark web for stolen AIIMS data over the last few days, which points to the extent of privacy violations.

This is not the first or an isolated incident of cyberattacks on India’s critical infrastructure where Chinese involvement has been alleged. In fact, back in 2018, the Indian Computer Emergency Response Team (CERT-In) in a report highlighted that China was responsible for nearly 35% of the total number of cyber attacks on official Indian websites. Below is a list of recent cyber offensives with alleged Chinese involvement:

April 2022: Ladakh Power Grid

As per a report prepared by US-based cybersecurity company Recorded Future, Chinese hackers targeted seven Indian centers in Ladakh responsible for carrying out electrical dispatch and grid control near a border area disputed by the two nuclear neighbors in the month of April this year.

The Chinese hackers primarily used the trojan ShadowPad, which is believed to have been developed by contractors for China's Ministry of State Security, leading to the conclusion that this was a state-sponsored hacking effort, according to the report.

Union Minister of Power R K Singh acknowledged the attacks and said that China launched "probing cyber attacks" on the Indian power grid in Ladakh thrice since December 2021 but did not succeed because safeguards were in place to thwart such intrusions.

China's Foreign Ministry spokesperson Zhao Lijian, however, rubbished the allegations and reaffirmed that China “firmly opposes and combats any form of cyberattacks, and will not encourage, support or condone any cyberattacks.”

July 2021: UIDAI Database

A 2021 report by Recorded Future suggested that the Unique Identification Authority of India’s database suffered intrusions by Chinese hacking groups through June and July 2021, although it was not clear what data was stolen. 

The UIDAI stores critical biometric information of Indian citizens and access to such bulk personal identification data can be put to immense misuse: it can enable hackers to potentially identify government officials, formulate social engineering attacks or add to data already gathered on potential targets. 

The report revealed that the breaches were doctored through the malware Winnti, which is deployed by Chinese Advanced Persistent Threat (APT) groups, which are usually state sponsored attackers. 

The Government of India responded to the findings and said it had no knowledge of such a breach and that its database was encrypted and only available to users with multi-factor authentication. The agency had a “robust security system in place” that was constantly upgraded to maintain the “highest level of data security and integrity.”

March 2021: Vaccine Manufacturering units

In the month of March, reports from Goldman Sachs-backed Cyfirma suggested that Chinese hacking group APT10, also known as Stone Panda, had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India (SII), the world’s largest vaccine maker.

“The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies,” Reuters news agaency quoted Cyfirma Chief Executive Kumar Ritesh as saying. He added that APT10 was actively targeting SII, which is making the AstraZeneca vaccine for many countries and will soon start bulk-manufacturing Novavax shots.

February 2021: Times Group

In another tracking effort, Recorded Future pointed to data exfiltration attempts by Chinese cyber criminals targeting Bennett Coleman & Co between February and August last year. According to the firm, the Times Group was selected as a potential target due to its reportage on India-China border tensions, “likely motivated by wanting access to journalists and their sources.” 


While Times Group dismissed the “alleged exfiltration” attempts, stating that its robust cybersecurity systems managed to thwart off attacks, The Hindu quoted Recorded Future’s Lead Analyst, Jonathan Condra, as saying that there were “strong indications” that the communications were coming from within the Times’ computer networks and going out to malicious servers, “which suggests a successful implant communicating outwards.” 

The report suggested that this attack too was carried out using the Winnti malware, along with the Cobalt Strike malware. 

October 2020: Mumbai Power Outage

India’s business hub, Mumbai, faced a severe blackout on October 12, 2020 which halted local trains, shut down stock markets and hospitals for almost 10 to 12 hours. Recorded Future emphasized that this was a result of multiple malwares deployed by Chinese group RedEcho. The company’s Chief Operating Officer, Stuart Soloman, told the New York Times that “RedEcho has been seen to systematically utilise advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”


This was later seconded by Maharashtra Energy Minister Nitin Raut, who confirmed the involvement of malwares in effecting the power outage that brought Mumbai to a standstill for hours. 

Later, however, Power Minister R K Singh said that the blackout was a result of “human error” and not a cyber offensive. “There is no evidence to prove that the October 2020 electricity blackout in Mumbai was caused by a cyberattack perpetrated by China or Pakistan,” he was quoted as saying in media reports.   

Besides these six major incidents of cyber offensives with alleged Chinese involvement, India’s critical infrastructure including power grids, government offices, nuclear installations, hospitals etc have regularly faced cyber terror threats. In fact, Recorded Future reports pointed to a 261% increase in the number of suspected state-sponsored Chinese cyber operations targeting Indian organizations and companies through 2021 compared to 2020.


Speculations are rife that following the Galwan clash along Indo-China border, India has become a recurrent target for cyber offensives allegedly launched by its hostile neighbor. China, however, has time and again dismissed these accusations.