Beijing Zhidao Chuangyu Information Technology Co., Ltd. Breach Incident Score: Analysis & Impact (KNO3634336111325)

In this Rankiteo incident briefing, we review the Beijing Zhidao Chuangyu Information Technology Co., Ltd. breach identified under incident ID KNO3634336111325.

The analysis begins with a detailed overview of Beijing Zhidao Chuangyu Information Technology Co., Ltd.'s information like the linkedin page: https://www.linkedin.com/company/knownsec, the number of followers: 237, the industry type: Computer and Network Security and the number of employees: 179 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 649 and after the incident was 548 with a difference of -101 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Beijing Zhidao Chuangyu Information Technology Co., Ltd. and their customers.

On 01 May 2024, KnownSec (Beijing Zhidao Chuangyu Information Technology Co., Ltd) disclosed Data Breach, Espionage and Insider Threat issues under the banner "KnownSec Data Breach Exposing India's Immigration Records and Offensive Cyber Capabilities".

One of China’s most important cybersecurity firms, KnownSec (Beijing Zhidao Chuangyu Information Technology Co., Ltd), was breached, revealing internal documents, advanced malware blueprints, and data on India’s immigration records.

The disruption is felt across the environment, affecting KnownSec’s secure servers and GitHub (briefly hosted leaked files), and exposing 12,000+ internal documents, 95 GB of Indian immigration data (allegedly stolen in 2024) and Blueprints/source code for advanced malware, with nearly 12,000+ files (including 95 GB of Indian data) records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Removal of leaked files from GitHub and Dark web monitoring, and stakeholders are being briefed through No public statement by KnownSec and China denied breach as 'groundless'.

The case underscores how Ongoing (unofficial; no public updates from KnownSec or Chinese government), teams are taking away lessons such as Need for stronger cyber defenses in India, Risks of private firms in state-directed cyber operations and Vulnerability of reconnaissance tools (e.g., ZoomEye) to exposure, and recommending next steps like Enhance monitoring of Chinese cybersecurity firms, Strengthen India’s immigration data protection and Conduct forensic analysis of leaked tools for indicators of compromise (IoCs).

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (70%), supported by evidence indicating unauthorized Access listed as attack vector; insider/ideological actor suspected and Trusted Relationship (T1199) with moderate to high confidence (80%), supported by evidence indicating state-aligned hacking operations and KnownSecs ties to Chinese military initiatives. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), supported by evidence indicating 12,000+ internal documents exposed, likely including credentials for malware/tools and OS Credential Dumping: Security Account Manager (T1003.002) with moderate confidence (60%), supported by evidence indicating source code for surveillance tools capable of extracting chat histories implies credential theft capabilities. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with high confidence (95%), supported by evidence indicating 95GB of Indian immigration data and digital infrastructure maps of India exfiltrated and Network Service Discovery (T1046) with moderate to high confidence (85%), supported by evidence indicating zoomEye reconnaissance data exposed, used for network scanning. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (100%), supported by evidence indicating 12,000+ internal documents including malware blueprints and chat histories from WeChat/QQ/Telegram and Automated Collection (T1119) with high confidence (90%), supported by evidence indicating source code for surveillance tools capable of automated data extraction. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), supported by evidence indicating leaked files circulated on dark web forums and briefly hosted on GitHub and Automated Exfiltration: Traffic Duplication (T1020.001) with moderate to high confidence (70%), supported by evidence indicating 95GB of data exfiltrated suggests automated processes for large-scale transfer. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (75%), supported by evidence indicating removal of leaked files from GitHub as containment measure and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating internal containment efforts (leaked memos) may imply disabling monitoring tools. Under the Command and Control tactic, the analysis identified Ingress Tool Transfer (T1105) with high confidence (90%), supported by evidence indicating blueprints for advanced malware, remote access tools, and hardware implants exposed and Proxy: External Proxy (T1090.004) with moderate to high confidence (70%), supported by evidence indicating dark web monitoring suggests use of external proxies for anonymity. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (0%), supported by evidence indicating no ransomware-related incident; excluded for clarity and Resource Hijacking: Storage Resources (T1496.002) with moderate to high confidence (85%), supported by evidence indicating 95GB of Indian immigration data exfiltrated, impacting storage/resources. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate to high confidence (80%), supported by evidence indicating remote access tools and malicious USB chargers imply persistent access mechanisms. Under the Lateral Movement tactic, the analysis identified Remote Services: SSH (T1021.004) with moderate to high confidence (70%), supported by evidence indicating digital infrastructure maps suggest lateral movement across Indian government networks. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.