Chinese cyber warfare? Hackers with Chinese, North Korean, Pakistani links attack Indian websites

If at the Line of Actual Cotrol, Indian forces are facing off against an actively hostile China, in the cyber world, agencies defending India’s internet domain are facing a cyber war waged by China through invisible hackers. Over the last two months, since border tensions broke out, Indian agencies have been battling direct and indirect attacks from what seems to be a multinational coalition.

Virtually every sector and cyber platform in India has been facing attacks originating from China, North Korea and Pakistan. Hacking attempts from the three nations are multiplied using bots and proxies, and attackers from of different origins are carrying out different tasks.

Top sources in the government say that though the attacks are coming from different countries, a single guiding hand behind a bulk of the attacks cannot be ruled out, especially because these hacking attacks are timed with the escalation of tension at the China border.

A senior IT ministry official said, “There are virtually no independent actors in China where systems are terribly opaque. And that’s why the attacks can’t be attributed to non-state players alone. Many of the known hackers are established fronts of the Chinese government. And China, Pakistan and North Korea are part of an identified axis. Both in Pakistan and North Korea, the state operates such [hacker] entities.”

Sources in the government say that over the last two months, cyber attacks numbering in thousands have been thwarted by Indian IT defence systems. The attacks have specific mandates that range from attempts to gain unauthorised access to Indian systems or their data, creating unwanted disruption and denial of service attacks to abuse or misuse of systems or data.

Such attacks have been reported on a global level as well. A heavy traffic of cyber attacks was witnessed after Covid-19, which originated in China, spread on a massive scale globally. In March 2020, Chinese hackers are said to have targeted over 75 organisations around the world in the manufacturing, media, healthcare, and non-profit sectors as part of a broad-ranging cyber espionage campaign.

Last week, though the ministry of commerce denied it, sources in the National Informatics Centre, or NIC, which manages central and state government websites and communication systems, had to scramble and ‘smash’ a cyber attack by a hacker group that had breached the security firewalls of the ministry’s official site and almost taken charge of the security protocols.

CHINA

In a big revelation, a senior government official said, “Hacking attempts originating from China are looking for information about products and raw material procurement including that for anti-Covid19 battle and policies. This is where the Chinese business interest comes in. If they know what India needs or wants to procure, Chinese companies and entities can align their supplies.”

The Chinese government through its ‘hacktivists’ is also attempting to know more about changes in manufacturing, import and other policies that can impact Chinese interests. There has been a spurt in such attempts since April, when India announced new FDI rules that curb inflows from neighbouring countries, especially China. With Prime Minister Narendra Modi’s appeal to “go vocal for local” and the Atmanirbhar Bharat Abhiyan, or self reliant movement, China is out to pilfer information on Indian policies and plans.

Since email platforms are also under attack, important advisories on their use and those of chat and conference platforms have been sent.

According to IT ministry sources, Stone Panda, a Chinese threat actor group, has been active in these attacks. The group has traditionally shown interest in stealing international trade secrets and supply chain information from various enterprises in countries such as India, Japan, USA, Canada, and Brazil. The group’s known motive has been known to be sensitive data exfiltration. The group is said to be linked to the Chinese Ministry of State Security (MSS) entities in Guangzhou.

The other group is believed to be Gothic Panda, which is a long-standing Chinese threat actor group that has targeted aerospace, defence, construction and engineering, telecommunications, transportation, and manufacturing sectors in the past.

NORTH KOREA

The attackers with origins in North Korea have been carrying out two-pronged attacks. One is by creating a huge amount of unusual activity, thereby raising demand on the servers of Indian government and institutional websites. IT ministry sources say, “This in cyber parlance is called Distributed Denial Of Service or DDoS. It’s similar to what happens to the IRCTC site when the Tatkal operations are on. Too much demand either slows down the system or stalls it.”

A couple of days back Cert-In, India’s premier internet defence agency, issued a specific alert about phishing attempts.

Cert-In’s advisory warning of phishing attempts

It warned with a sample email that it is “reported that malicious actors are planning a large-scale phishing attack campaign against Indian individuals and businesses (small, medium, and large enterprises). The campaign is expected to use malicious emails designed to drive recipients towards fake websites where they are deceived into downloading malicious files or entering personal and financial information.”

According to Singapore-based Cyfirma Research, a cyber threat intelligence firm, North Korea’s infamous Lazarus Group of hackers seems to be behind the phishing threat. Sources say that the attempt is to target the Rs 20 lakh crore worth welfare packages for citizens announced by the government. The hackers plan to lure vulnerable individuals and companies into falling for the phishing attacks.

PAKISTAN

The cyber attacks originating from Pakistan have military interests or are aimed at causing embarrassment to India or its premier institutions.

“Pakistan has for long been trying to pick up bits and pieces of information about Indian defence deployments and defence strategies. The hacking forays originating from Pakistan could be to suck out information about Indian deployment effort along the LAC which could be useful for the Chinese.”

These attacks are also trying to breach security protocols and deface websites

COUNTER MEASURES ON TO DEFEAT THREATS

While Cert-In has been managing a large swathe of India’s internet footprint, the NIC now has a small unit that specifically shields government websites and other online entities. Both have been extending security protocols and updating firewalls to thwart cyber attacks. A senior IT Ministry official said that one successful minor breach actually indicates that thousands of similar threats have been defeated.