India-Linked Cyberattacks Target Chinese Infrastructure

Recent reports from Chinese cybersecurity firms have highlighted a series of cyberattacks targeting critical infrastructure, originating from India. These attacks have targeted, among others, China and Pakistan.

One such attack on Chinese military infrastructure, intercepted by a Chinese cybersecurity company in December, was carried out by an Indian hacker group. The attack shared objectives and methods with previous ones, indicating the involvement of the same group.

The APT group, active since November 2013, was first discovered and named “Bitter” by American company Forcepoint and “Manlinghua” by Chinese company Qihoo 360 in 2016. Over time, the unveiling of Bitter’s activities revealed its political motives, primarily targeting Pakistan and China, including government structures, military, and nuclear sectors.

Cybersecurity analysts suspect that the group has roots in India and is potentially state-sponsored, considering the IP addresses’ locations and linguistic characteristics observed in the attacks. It is also believed that Bitter is connected to several other, presumably Indian, groups, including Patchwork, SideWinder, and Donot.

Contrary to the common perception that cyber threats to China mainly come from the USA, professionals note that a significant number of attacks originate from South Asian countries, as stated by a security expert from Beijing who wished to remain anonymous. China and India, the world’s most populous countries, have complex relations, marked by both border disputes and conflicts as well as growing bilateral trade.

Bitter employs two primary attack strategies: spear phishing and watering hole attacks:

• Spear phishing involves sending targeted individuals infected documents or links via email, which, when opened, download Trojan programs for data theft and further instructions from the attackers.
• Watering hole attacks involve compromising legitimate websites to place malicious files or creating fake websites as traps for victims, usually utilizing content of interest to them.

According to reports from cybersecurity companies Anheng, QiAnXin, Intezer, and Secuinfra, in 2022 and 2023, there were 7 and 8 attacks, respectively, closely associated with Bitter, targeting Pakistan, Bangladesh, Mongolia, and China. The attacks ranged from forging letters from the Kyrgyz embassy to sending emails to the Chinese nuclear industry.

While Bitter’s operations are mainly focused on intelligence gathering and may not seem destructive at first glance, they can lead to significant information leaks with immeasurable consequences. As of now, the foreign ministries of China and India have not provided any official comments on the situation.