Chinese State Backed Hackers Hyperactive Against India Since Border Tensions in June

By Debdutta Ghosh

China has apparently opened up a new front in its tussle with India apart from the military standoff at the Line of Actual Control in East Ladakh.  

Since the deadly clashes between the Indian and Chinese at the Galwan Valley in Ladakh, there has been a spurt in cyber attacks by Chinese hackers in India, according to reports quoting cyber security experts. 

According to a Singapore-based cyber research firm Cyfirma, since June 18, there has been a 300% spike in the hacking attempts in India that were reportedly supported by the Chinese army.

The bloody clash at the Galwan Valley at the Indo-China border in the Himalayas in the intervening night of June 15-16 between the Indian Army and People’s Liberation Army (PLA) of China saw 20 Indian soldiers, including a commanding officer die. China never disclosed the casualties of Chinese soldiers but multiple sources reports in India and outside have talked of heavy casualties on the Chinese side as well. 

Research by Cyfirma experts have noted that there is a marked shift in hacking against Indian targets since the Galwan Valley clashes, said the firm’s Chairman and CEO Kumar Ritesh. The outcome of the research work by cyber security firm has already been shared by with India’s nodal agency Computer Emergency Response Team (CERT-In) while raising a red flag aganst the increased Chinese dark web activity against India at a time when there is ia border standoff between the armies of the tow countries. 

“Our research has found that targets have changed since June 18 and a lot of activity has been noticed, almost 300% increase from June 18,” said Kumar Ritesh.

“What we are witnessing now is the reconnaissance phase during which they are collecting sensitive information about targets and then profile them, the second phase might see cyber attacks one by one,” he added.

Cyfirma researchers had noted that the cyber attacks against Indian targets were unique. After initially focusing on indigenous Indian industries such as mobile manufacturing, construction, tyres and media companies as well as on some government agencies, hackers backed by the Chinese state moved on from website defacement and reputational damage to stealing sensitive information, sensitive data, customer information and intellectual property. 

Since June when the military tensions between India and China escalated to a war like situation, the researchers also noted that this change in modus operandi had been implemented by the Chinese hackers.

Another characteristic of the attack of the Chinese state backed hackers is its brazenness. Experts noted that while previously, Chinese hackers operated through Pakistan and North Korea-based hackers, since the border tensions the hackers have started to directly engage in the cyber attacks in their efforts to siphon off sensitive data of targeted Indian entities.

“Earlier the Chinese hackers were in a supportive role for Pakistan and North Korea-based hackers but now they are in the frontline and are driving the agenda for cyber attacks,” Kumar Ritesh said. 

In a spate report, cyber security experts in India noted in the month of June over 40,300 cyber attack attempts made in just five days – specifically against agencies and entities in the Indian state of Maharashtra.  

Talking about these attacks, Inspector General of Police of Maharashtra, Yashasvi Yadav, said: “In the past 4-5 days, there is a sudden surge of cyber criminal activity in the Indian cyber space. Resources and sectors such as infrastructure, information and banking have been heavily targeted in this period by Chinese attackers. At least 40,300 cyber attacks have been made in this time, and a large volume of these attacks have originated from Chengdu, the capital city of China’s Sichuan province.”

“These attacks can be divided into three categories – denial of service, IP hijacking and phishing. This has led to the Indian government’s cyber infrastructure being vulnerable right now,” Yadav said while explaining the nature of the cyber attacks perpetrated by the Chinese hackers since the border standoff between New Delhi and Beijing. 

And according to Himanshu Dubey, director of Quick Heal Security Labs: “Over the past few days, we have seen some well-calibrated attacks targeting India’s critical infrastructure using malware that are designed to communicate with CnC (Command & Control) servers based in China. As part of these attacks, crypto miners and Remote Access Tool (RAT) malware are being dropped on victim computers, which enable remote administration and extensive interactions with those devices. Some of the actions include keylogging (a common tactic used to steal credentials), screen capture, privilege escalation (used to gain deep-level access to classified files) and data exfiltration, among others.”

Cyfirma researchers have found out that the most recent spike in cyber attacks on Indian entities were launched from bases in the Chinese capital of Beijing as well as form other cities such as Guangzhou, Shenzhen and Chengdu. 

The two most common and well known Chinese state-sponsored threat actors – Gothic Panda and Stone Panda, do not use any infrastructure in China and they tend to safely operate from their bases in the United States and Europe. They also have moles in Asia. This time however, the researchers of the cyber security firm noted that most of the stooges of both Gothic and Stone Panda were from the PLA who were not afraid to use Chinese army infrastructure to conduct the hack attempts. 

“There was always an interest in India among the Chinese state-sponsored hackers, but they were not aggressive,” said Kumar Ritesh.

The researchers and sleuths of Cyfirma claimed to have decoded vocal statements – some of which said “try to teach them (India) a lesson”. The cyber security firm also confirmed that these Chinese state sponsored hackers generally very clearly have a geopolitical agenda. This time however, these hackers were noted to be supporting the interests of local industries that makes the aim of these attacks very obvious. 

Explaining further Kumar Ritesh said: “Their targets are primarily those Indian firms which have established globally and have an international reputation.” 

Subscribe Our You Tube Channel