Cyber Incident Victim: CNN-News18
Date:
Sep 2020
Location:
India
Summary
A hacking group known as "John Wick" or "Korean Hackers" allegedly breached an Indian news channel's systems to send unauthorized push notifications denying their involvement in a separate PayTM Mall cyberattack. The group also compromised the Indian Prime Minister's Twitter account to refute the claims, sharing purported evidence including internal IP addresses, credentials, and a JSON authentication token used to distribute browser alerts redirecting to a PasteBin statement. Screenshots suggested access to the channel's codebase, mirroring tactics from a prior ZEE5 hack, though the breach's authenticity remained unverified by the organization. The actors emphasized their actions were solely to dispute attribution of the PayTM incident, not for financial gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2020, a hacker group identifying as "John Wick" or "Korean Hackers" executed a series of intrusions targeting high-profile Indian digital assets to publicly deny allegations of their involvement in a prior breach of PayTM Mall. The incident began when the group contacted BleepingComputer in August 2020 to refute a cybersecurity firm Cyble’s report attributing the PayTM Mall compromise to them. Following this, the actors escalated their efforts by breaching the verified Twitter account of Indian Prime Minister Narendra Modi on September 3, 2020, posting tweets stating they had no role in the PayTM incident and claiming media outlets ignored their emailed denials. Concurrently, the group allegedly compromised systems at CNN-News18, an English-language news channel operated by India’s News18 network. They provided BleepingComputer with screenshots purportedly showing access to News18’s internal infrastructure, including folder directories for language-specific channels, internal IP addresses, usernames, passwords, and a JSON authentication token. Using this access, the attackers pushed a browser notification to News18 subscribers stating "Paytm Mall John Wick - Not hacked by our Team," which redirected users to a PasteBin page reiterating their denial. The notification mechanism was linked to News18’s codebase, with the hackers sharing commit history screenshots resembling their earlier breach of Indian streaming service ZEE5, where they had defaced platforms and demanded Ethereum payments.
BleepingComputer partially validated technical claims, confirming an open directory on Cyble’s amibreached.com site as described by the hackers but finding no evidence of the alleged remote access script. Cyble’s CEO Beenu Arora denied any breach of their systems or unauthorized script uploads. The threat actors did not seek financial ransom during the News18 intrusion, diverging from their ZEE5 campaign. News18 did not publicly acknowledge the incident or respond to inquiries about the authenticity of the provided screenshots at the time of reporting. The attackers’ actions created a paradoxical scenario where they compromised multiple systems—including a national leader’s social media account and a major media outlet’s infrastructure—to disprove a single hack allegation, potentially exposing additional systems and escalating legal liabilities. The push notification campaign represented an unconventional use of breached media platforms to directly communicate with audiences, while the unresolved status of the claims left uncertainty regarding the full scope of accessed systems or data.