China-based threat actors target UIDAI, AIIMS, ICMR: Govt advisory

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups

The government has detected a "new wave of cyber attack campaign" where China-based threat actors have been targeting government bodies, such as the Unique Identification Authority of India (UIDAI) and the All India Institute of Medical Sciences (AIIMS), according to a cybersecurity advisory accessed by Moneycontrol. This comes at a time when there have been relentless cyberattacks on government organisations, with AIIMS recently clarifying that it was able to thwart a separate malware attack.

An investigation by government bodies showed that critical organisations, including the Indian Council of Medical Research (ICMR), were being targeted with PlugX/Korplug malware, which is associated with Chinese threat actors.

PlugX/Korplug is a remote access tool with plugins that are used by multiple threat groups, according to MITRE ATT&CK, a knowledge base of adversary tactics and techniques in cyberspace. Various cybersecurity firms, such as Anomali and CrowdStrike, have conducted research linking the usage of PlugX/Korplug malware to China-based threat groups, such as Mustang Panda.

The advisory issued in mid-May showed that the government detected the cyberattack campaign in February 2023. The advisory warned that the malware infection was likely to increase in government organisations, "as there is no antivirus capable of detecting these malicious files".

The advisory also showed that the government was wary that the number of compromised computers was "more than observed earlier". This was because, computers, including the compromised ones were connected to other computers through routers.

Moneycontrol has reached out to UIDAI, ICMR and AIIMS for further clarifications regarding the matter and the article will be updated when a response is received.

Used for espionage

The government has observed that computers in organisations were being infected by PlugX/Korplug malware through pen drives, and suspected that the modus operandi indicated "involvement of Chinese threat actors who carry out cyber attacks for data exfiltration and espionage".

The advisory also attached an indicator of compromise, which are essentially signs that one should look out for to indicate whether the computer has been infected with the malware.

This cyber alert comes against the backdrop of AIIMS being targeted with another malware attack, months after its systems were crippled by a ransomware attack. On June 6, AIIMS said that it had detected a malware attack but the attempt was successfully thwarted.