Cyber espionage campaign targets India and Tibetan activists

Security experts at FireEye uncovered a cyber espionage campaign that targeted organizations in India and the Tibetan activists.

Security firm FireEye revealed an intense activity of hackers based in China particularly interested in entities and organization linked to the Indian Government as well as in information on Tibetan activists. Also in this case we are dealing with a cyber espionage campaign conducted by an Alleged Chinese APT. The Chinese hackers run spear phishing attacks against their targets, the malicious email have an attachment containing a script called Watermain. When victims open it the malicious code creates backdoors on target machines.

“Its targets appear to be of particular interest to the Chinese government, such as Tibetan activists,” a company spokesman told AFP.

“It’s also well resourced and works around the clock. We found indicators in their malware that the group behind it may speak Chinese.”

Experts at FireEye are monitoring the Watermain’s activity since 2011, the APT targeted more than 100 entities since now, about 70% of them are from India.

“Collecting intelligence on India remains a key strategic goal for China-based APT groups, and these attacks on India and its neighbouring countries reflect growing interest in its foreign affairs,” said Bryce Boland, FireEye chief technology officer for Asia Pacific.

“Organizations should redouble their cyber security efforts and ensure they can prevent, detect and respond to attacks in order to protect themselves.”

Fire Eye detected the same APT group in April 2015, one month before Indian Prime Minister Narendra Modi’s first visit to China.

FireEye has already reported cyber espionage conducted by other APT groups, in April the security firm revealed the details of APT30 which targeted aerospace and defence company in India among others.

“Advanced threat group like APT 30 illustrate that state-sponsored cyber espionage affects a variety of governments and corporations across the world,” explained Dan McWhorter, VP of threat intelligence at FireEye. “Given the consistency and success of APT 30 in Southeast Asia and India, the threat intelligence on APT 30 we are sharing will empower the region’s governments and businesses to quickly begin to detect, prevent, analyze and respond to this established threat.”

According to FireEye, the majority of targeted organizations in India have already patched the flaws exploited in the attacks.

At the time I was writing the Government of Beijing hasn’t commented the findings of the FireEye experts.

India and China have long been involved in a dispute over their border, for this reason, the government of Bejing could have arranged a cyber espionage campaign searching for information related to the Indian diplomacy.

India has also been wary of China influence in Sri Lanka and Nepal.

Pierluigi Paganini

(Security Affairs – India, cyber espionage)