Why I will not take the advisory on Chinese phishing campaign seriously


An advisory from the Indian government that an email with a government email address (ncov19@gov.in) may be a phishing campaign from hackers in China appears silly, at best. That is not how phishing campaigns are carried out. Also, Chinese apps and UC browser are far more dangerous.

By Sandeep Shukla

For the last few days, the media has been inundated with a new advisory, apparently from the Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology.

The advisory states that there will be a phishing campaign from hackers to induce users to click on a link or download an attachment, which if clicked or downloaded will harm the user’s mobile phone or computer system. The link apparently takes the user to malware-laced websites or the downloaded file will drop a malware payload on the user’s phone/computer.

The advisory claims that the email will purportedly be from a government email address – ncov19@gov.in – so it appears as being sent by the Indian government COVID-19 taskforce making gullible people believe in the authenticity of the source.

Silly, at best

I found this advisory extremely silly, to say the least. Given the current context of conflict with China, the advisory somewhat implicitly points to the Chinese government as the possible source of the phishing campaign to harm Indian financial and government entities.

With the strongest cyber army in the world and their technological capabilities, it is hard to believe that any cyber campaign from China will be undertaken in such an amateurish manner. If the purported email was indeed a part of a phishing campaign, the government organisations such as CERT-In and various ministries could have easily instructed the ISP and telecommunication providers to block the email address. So can all organisations that provide email services block the email, as the specific email address is already known. It is naïve to assume that any offensive cyber professional will launch such a campaign from a single address or do it from a single source.

Why the claim does not stick

Chinese cyber army probably own a lot of bots – which are machines all over the world that already have trojan bots reporting to command and control servers in China. Phishing campaigns are effective when they are carried out  from geographically distributed sources and from a variety of email addresses that can easily be automated with previously collected names and email addresses from various data breaches. There is an immense amount of breached email addresses available freely on the Internet.

Further, given that we know the number of data breaches of various State government databases seeded with Aadhaar information, medical databases around the country, more recently digilocker, I do not think that the Chinese cyber army has any dearth of email addresses to target specific entities with most relevant email addresses matched with data analytical techniques. Thus, when an advisory that states that a phishing campaign is likely from a specific email address sounds dubious. I cannot get myself take the threat seriously especially if the perpetrator is a powerful cyber capable adversary.

Furthermore, given that Indian critical infrastructure security can be compromised by many nation States including China, if they want to, as a whole lot of equipment in any sector are vulnerable, probably with exception of banking (where the cyber security is taken much more seriously) and financial sector. These sectors run unpatched firmware and software systems that lack in basic security practices.

Therefore, silly phishing campaign does not seem likely. The more likely scenario would be attacks on power grid, manufacturing systems, water distribution systems, to name a few.

Why the timing is wrong

On the other hand, I do not believe that China will actually launch a serious cyber-attack at this point. Launching a cyber-attack on another country during a border conflict would implicate them easily – and that will be a declaration of war. These days, it is considered a declaration of war when one country overtly launches a cyber-attack on another country’s infrastructure.  While there is little doubt that many countries, including the United States, probably has infiltrated our infrastructure already, and it is a ticking timebomb, it is unlikely that anyone will detonate such a bomb so easily, as internationally that will be a huge mistake. Also, given the geopolitical position of China in terms of various conflicts (trade and otherwise) – they would not want to get involved in a war with India at that scale where the international community will unequivocally come against them for such an act.

While I am confident that China will not make an overt cyber war against India at this point, I am also confident that they have been collecting immense amount of data from India and other countries – as cyber intelligence gathering will provide strategic advantage for covert strategic and tactical reasons.

Far more dangerous

For example, in an article in April 2020, Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative wrote very cogent arguments on why TikTok is a dangerous app. Not just because it is from a company which is based in China and the Chinese government can easily force the company to turn over all the data they collect and then use such data in profiling the population. This similar to how Cambridge Analytica used Facebook data in creating profiles and microtargeting the pro-Trump advertisements, creating conflicts during election time. The company might also collect location information, compromising video and other personal information for army personnel, diplomats, politicians, and government officials to blackmail them at a later time. This should concern all even if the TikTok app is not installed on an officially issued mobile of a person as cross correlation is always possible.

Another example is the UC browser which is made by Alibaba, a Chinese company. This comes as a default browser in many Chinese-made Android phones. Since 2015, the Citizen lab of Canada has written several times to the company about the security problems, the kind of data they are collecting from users including browsing history, location, other apps that are on the phone etc – enough to create profiles of individuals. Also, browsing history and location can be used to create a profile to embarrass a person – and thereby blackmail the person. Again, Beijing could easily force the company to turn over all such data to the Chinese government for later strategic use.

Too little, too late

According to a June 5, 2020 news item that I read in the Financial Express, Indian government has already warned military and paramilitary against 42 mobile apps – which include TikTok, and UC Browser. This is too little, too late. Given the low salary of our military personnel, they cannot afford phones that are not of Chinese make. So, I suspect that majority of them have been using phones where UC Browser is a default browser. It was also pointed out earlier that even if one uninstalls the UC browser, it remains hidden and collects information and sends back the data to the company servers. So, I am not even sure that uninstalling these apps will be sufficient.

I have not been using phones that are of Chinese make and I strictly do not use any mobile apps that are from companies out of China. However, that does not guarantee that the Chinese Cyber army does not have a profile on me. After all, they have many other ways of collecting information – from various data breaches in India – and also various sources such as Facebook, Twitter, and LinkedIn where I have been sharing a lot about my personal views and professional activities.

So, the question is whether you consider your data to be sensitive, and whether you will be in a position in the future where subjecting you to blackmail or other kind of coercion could have impact on national security. If it does, then I think no app – Chinese or not – is safe. You have to have a completely off-line existence, which is quite difficult in today’s digitalised world.

(Sandeep Shukla is a Professor of Computer Science and Engineering at IIT Kanpur. His main research areas are cyber security of critical infrastructure and blockchain technology applications. Prior to joining IIT Kanpur in 2015, he was a professor of Computer Engineering at Virginia Tech, U.S. between 2002 and 2015.)