A hacking group claims to have breached India’s CNN-News18 news site to use it to refute claims that they hacked PayTM Mall earlier this week, BleepingComputer has learned.
News18 is an English-language news channel that provides Indian and local news via the Indian Broadcasting Network and international news in a partnership with CNN.
A hacker group that goes by the names “John Wick” and “Korean Hackers” have provided BleepingComputer with information on the hacking of the Indian Prime Minister’s Twitter account and the online systems of popular Indian news channel, News18.
This same group had previously hacked the video-on-demand service ZEE5 and defaced multiple websites, seeking nothing but a “10 Ethereum ‘donation’ for their help.”
In their quest to refute claims that they were behind PayTM hacks, “John Wick” breached Indian PM’s Twitter account and allegedly hacked the TV channel News18 to spread the message on their innocence.
And so the story begins…
In August, “John Wick” emailed BleepingComputer to refute a report Cyble had published that attributed a PayTM Mall breach to the hacker group.
The threat actors then claimed to have breached Cyble’s amibreached.com to download its database and install a remote access tool to an open directory.
Cyble’s CEO, Beenu Arora, has told BleepingComputer that they could find no indications that they were breached or that a remote access script was uploaded.
BleepingComputer was able to validate the open directory listing claims, but when we looked, the said directory did not include the alleged remote access script.
Hacks many sites to refute one hack
In a paradoxical series of events, determined to assert their innocence regarding the PayTM Mall attack, “John Wick” hacked the Twitter account of Indian Prime Minister Modi, telling the world they weren’t the ones behind PayTM hacks.
“There is no other intention to hack this account. Recently fake news of our name saying PayTM mall [was] hacked by us. So we have sent email to all news publishers in India [that] it’s not us, no one replied, so we decided to post something,” read one of the tweets published from the PM’s verified Twitter account.
Furthermore, “John Wick” has provided BleepingComputer with additional information.
These images demonstrate the hackers may have hacked the Indian news channel, News18‘s systems and sent out push notifications to its subscribers to deny their involvement in PayTM hacks.
Further screenshots provided by the group showed folders of language-specific channels of the News18 group.
It must be noted, the authenticity of these screenshots cannot be validated, and at the time of writing, we have not received a response back from News18 group about this alleged hack.
In an email sent to BleepingComputer by John Wick, the group has included internal IP addresses, ports, usernames, passwords, and a JSON request with an authentication token that they had allegedly used for pushing out browser notifications to News18 subscribers.
The push notification reads, “Paytm Mall John Wick – Not hacked by our Team”
When clicked on, these browser notifications opened a page at PasteBin that once against refuted the claims that the threat actors hacked PayTM Mall.
Identical to the ZEE5 hack where John Wick had allegedly taken control of the company’s codebase, the hacker group provided screenshots showing code commit history for News18’s codebase in a similar fashion.
Granted, John Wick’s motivation, in this case, wasn’t to collect 10 ETH donations.
However, in trying to assert their innocence by competence, they may have breached many more systems and become criminally complicit—all to disprove one allegation of having hacked PayTM.
This is a developing story. Please check back for updates.