The Open-Source Intelligence (OSINT) team at India Today reviewed leaked data that claimed a Chinese state-affiliated hacker group had targeted major Indian government offices, such as the "PMO" (likely the Prime Minister's Office), as well as businesses like Reliance Industries Limited and Air India.
Over the weekend, thousands of files, images, and chat messages related to I-Soon—a claimed cybersecurity contractor for China's Ministry of Public Security (MPS)—were secretly shared on GitHub.
The leak reveals a complex network of covert attacks, spyware operations, and sophisticated surveillance by Chinese government-linked cyber criminals.
A machine-translated version of the leaked internal documents, originally written in Mandarin, shows hackers documenting their techniques, targets, and exploits. Targets included the North Atlantic Treaty Organisation (NATO), an intergovernmental military alliance, European governments, and organisations, as well as Beijing's friends such as Pakistan.
Indian targets
The data stolen names Indian targets such as the Ministry of Finance, the Ministry of External Affairs, and the "Presidential Ministry of the Interior," which is likely a reference to the Ministry of Home Affairs.
During the peak of India-China border tensions, advanced persistent threat (APT) or hacker groups stole 5.49GB of data from various offices of the "Presidential Ministry of the Interior" between May 2021 and October 2021.
"In India, the primary work goals are the ministries of foreign affairs, finance, and other key departments. We continue to monitor this sector closely and want to capitalise on its potential in the long run," reads the translated India section of what appears to be an internal report prepared by iSoon.
User data for the state-run pension fund management, the Employees' Provident Fund Organisation (EPFO), the state telecom provider Bharat Sanchar Nigam Limited (BSNL), and the private healthcare chain Apollo Hospitals were also allegedly compromised.
The leaked documents also mentioned about 95GB of India's immigration statistics from 2020, referred to as "entry and exit points data". Notably, following the conflict in Galwan Valley in 2020, India-China relations deteriorated further.
"India has always been a major emphasis for the Chinese APT side of things. The stolen data inevitably covers quite a few Indian organisations, including Apollo Hospital, persons coming in and out of the nation in 2020, the Prime Minister's Office, and population figures," said Taiwanese researcher Azaka, who initially uncovered the GitHub hack.
This is not the first time China has been blamed for cyberattacks on India. Seven Indian power hubs were reportedly targeted by hackers linked to China in 2022. Threat actors attempted to breach India's power system in 2021 as well.
