Cyber attacks originating from India, targeting China and Pakistan, on the rise: Report
Analysts suspect the group’s origins trace back to India, potentially with state support, based on IP address locations and linguistic patterns
A string of cyberattacks originating from India have been highlighted in recent reports by Chinese cybersecurity firms, with the attacks targeting China and Pakistan among others, a newspaper reported on Friday.
One cyberattack on the Chinese military, intercepted by a cybersecurity group in China in December, was said to be orchestrated by a group of hackers from India, the South China Morning Post said.
The attack bore striking similarities to earlier ones in terms of targets and methodologies, suggesting the involvement of the same group, the report said.
This group, identified as an advanced persistent threat (APT), was said to be active since at least November 2013, before the advent of Narendra Modi as the prime minister of India.
It was first discovered and named “Bitter” by American security firm Forcepoint and “Manlinghua” by Chinese company Qihoo 360 in 2016, the Post said in its lead story.
Over that time, the increasing exposure of Bitter’s activities has shed light on the group’s political motives as it primarily targets Pakistan and China, it said. The group is said to focus on government agencies, military and nuclear sectors.
India link
Cybersecurity analysts suspect the group’s origins trace back to India, potentially with state support, based on IP address locations and linguistic patterns observed in the attacks.
Moreover, Bitter is believed to be connected with several other groups that are suspected to be Indian, including Patchwork, SideWinder and Donot among others, the newspaper said.
“Contrary to popular belief that China’s cyber threats mainly come from the US, professionals in the field point out that a significant number of attacks originate from South Asian countries,” the daily quoted un named Beijing-based security expert involved in the investigation of the attacks as saying.
China’s foreign ministry has consistently refrained from public condemnation.
Modus operandi
Bitter employs two primary attack strategies: spear phishing and watering hole attacks.
Spear phishing involves sending targeted individuals bait documents or links via email, which, when opened, deploy Trojans to download malicious modules, steal data and allow further instructions from the attackers.
Watering hole attacks compromise legitimate websites to host malicious files or create fake websites to trap victims, usually centred on content of interest to the target person such as shared forum software tools.
Significant damage
“Despite not being the most sophisticated in technique, Bitter’s customised and varied approaches to different targets have proven effective. Just like telecommunications fraud, although many methods are simple, people are still fooled every year,” the anonymous expert was quoted as saying.
Bitter’s operations, primarily focused on intelligence gathering, may not appear destructive on the surface, but can lead to significant information breaches with immeasurable consequences
According to disclosures by cybersecurity firms, there were seven attacks in 2022 and eight in 2023 closely linked to Bitter, targeting Pakistan, Bangladesh, Mongolia and China.
These attacks varied from impersonating the Kyrgyzstan embassy to sending emails to the Chinese nuclear industry. Hackers also posed as military contractors offering anti-drone systems to the Bangladeshi Air Force and even exploited compromised email accounts to spread malicious files under the guise of New Year greetings, the report said.
