Will China hackers target Indian businesses next?
- Cybersecurity firm warns of threat to Indian firms by hacking groups
- Cyfirma found chatter on China hacker forums about targeting a variety of Indian businesses, media, & government agencies
In the latest development of ongoing tensions between Asian superpowers China and India, Chinese state-sponsored hacker groups could be targeting Indian businesses and governmental agencies, according to chatter discovered on the dark net by a cybersecurity intelligence firm.
Early last week, a violent skirmish occurred in the Galwan Valley border region that is patrolled by Indian troops on one side and Chinese troopers on the other. The face-off led to 20 Indian soldiers getting killed, including an officer, and has escalated simmering border tensions between the two most populous nations in the world.
Fresh off accusations that Chinese state-backed hackers have been increasing the frequency of cyberattacks against Australia’s government infrastructure and private sector, a new report from Singaporean cyber intelligence agency Cyfirma has warned that several government agencies, media houses, pharmaceutical companies, telecommunications operators, and a large tire company in India may all be targets of a massive cyberattack, from hacking groups with links to the People’s Liberation Army (PLA), the ruling party of China.
Cyfirma says the groups have been discussing ways to “teach India a lesson” on Chinese hacker forums hosted on the dark net, with increased chat group activity over the past ten days that lines up with the timeline of the border standoff on June 15 -16.
“The whisperings in the dark web and hackers’ forums have increased in volume and intensity with actual mentions of Indian targets,” said Kumar Ritesh, the founder and CEO of Cyfirma. “When we observed that IoCs (indicators of compromise) were shared, we immediately knew that the threat could be imminent.”
Ritesh says what drew Cyfirma’s attention was the potential imminent risk to Indian business interests, and the links with notorious China hacker groups. “What piqued our interest was the list published on these forums. They had names of several Indian companies, media houses, telecom operators, and a large tire company. When we started attributing the handles publishing these lists back to their sources, we found that they belonged to Gothic Panda and Stone Panda, two well-known hacking groups with direct affiliation to the PLA.”
“These two hacker groups have a history of launching cyberattacks against government agencies and competing companies in case of any geopolitical conflict with China,” Ritesh noted. Gothic Panda has allegedly been involved in large-scale cyberattacks targeting organizations in the US and Hong Kong, two other territories with ongoing conflicts with mainland China.
On the forums, plans are being surfaced to steal sensitive data, launch distributed denial of service (DDoS) attacks, deface websites, and launch malicious phishing campaigns. “In our research, these cybercriminals are looking at the defacement of websites using weaknesses in the web application, data exfiltration (sending data from the host system to the hacker’s) using specialized malware, denial of service, impersonating companies’ website and launching malicious phishing campaign,” Ritesh elaborated to Moneycontrol.
Companies that are said to be on the list of targets include Reliance Jio Infocomm, MRF Tires, Sun Pharmaceutical, Airtel, Cipla, Intex technologies, Micromax, BSNL, Apollo Tires, and L&T. Various media that were critical of China were also said to be targeted, including the Hindustan Times, Times of India, and Republic TV. The websites of the Ministry of Foreign affairs, Ministry of Defense, and the Ministry of Information and Broadcasting were also mentioned, as cited by Cyfirma’s report.
China hacker groups
According to Ritesh, the Chinese cyber collectives are the largest in the world backed by state ministries, and it is suspected that almost 314,000 people work for these communities. They predominantly operate under a geo-political agenda to attack countries that have included the US, Japan, South Korea, India, and others.
That would align with the motivations behind the recent Australia cyber attacks as well, as Australia is currently locked in a trade dispute with China. But the Australian PM Scott Morrison has stopped short of naming the alleged state sponsor, only saying, “We know it is a sophisticated state-based cyber actor because of the scope and nature of the targeting and the tradecraft used. There aren’t too many state-based actors who have those capabilities.”