China and India Lock Horns on Cyber Battleground, Each Trying to Outdo the Other

Chinese Malware

India-China tussle has moved from border clashes to the cyberspace. India remained the top five cyber-attacked countries throughout the year 2020, where almost 50 percent of cyber-attacks were attributed to China alone. Chinese malware attacks were against infrastructure, financial institutions and government agencies, undermining the national security.

China started using its defensive and offensive cyber capabilities as early as 2003. By 2007, it not only penetrated the US and European networks, successfully copying and exporting, but had started carrying out “Byzantine Hades” cyberattacks. It later started targeting India, used malicious software such as Trojans to gain access to sensitive information from the government. In view of China’s nature of exploiting the cyber space for its strategic goals, India, too, is gearing up its cyber capabilities with the help of private actors.

A latest report by a US cyber security and intelligence firm – Recorded Future – revealed that Chinese cyber campaign against India was in action throughout the COVID crisis. Four months after the Indian and Chinese troops clashed in a border battle that took place in the remote Galwan Valley in May 2020, power went out in Mumbai, one of the most crowded Indian cities.

Recorded Future’s threat research arm, Insikt Group determined that a subset of the servers used in the attack shared some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups – APT41 (aka Barium, Winnti, or Wicked Panda) and Tonto Team. The Chinese malware flowing into the Indian control systems was, hence, linked with the Mumbai grid failure of October 12.

Recorded Future pinned the malware intrusions on RedEcho – a Chinese state-sponsored group. The cyber attack against India’s power grid targeted a total of 12 organisations, 10 of which belonged to the power generation and transmission sector. A power-plant by National Thermal Power Corporation (NTPC) Limited and New Delhi-based Power System Operation Corporation Limited remained the primary victims.

Meanwhile, India is also suspected to have launched various offensive campaigns to counter such activities against China. Though it is apt to suggest that India is still in the process of building its offensive cyber capabilities, few Indian actors have gained attention for building these capabilities already. For instance, an Indian state-sponsored group called Sidewinder signalled out Chinese military and government entities in spear-phishing attack, post border clashes in May 2020.

Another name that has consistently emerged in spearheading the Indian government’s cyber-offensive strategy is Phronesis. The firm successfully launched a malware attack on Chinese nationals in December 2015 and has continued to develop into a multidimensional cyber consultancy firm.

In 2019, BITTER APT, a suspected Indian APT, was attributed by China-based CERT 360, on indicators of launching targeted attacks on Chinese organisations. This Indian group campaign was believed to have been targeting China, Pakistan and Saudi Arabia all along.

Meanwhile, Chinese hackers have unleashed tens of thousands of hacking attempts on India’s technology and banking infrastructure post the border tensions. From knocking the systems offline through denial-of-service attacks to corrupting sites through phishing, Chinese hackers have used almost all modes to target India. They even used Icebug, Hidden Lynx (a professional advanced persistent threat using the program), and APT-12 for attacking government and industrial organisations.

In the latest report, Recorded Future added that most of the Chinese malware was never activated. To examine the details of the cyber intrusion code placed in the strategic power-distribution systems, the firm needed access to India’s power systems.

The consistent cyber activities by both the countries have been pushing grounds for developing a much more aggressive cyber-offensive front in South Asia. The October power outage is a clear example of how malware placement code into infrastructure systems can become the newest form of aggression. It’s a challenging time for India as it is preparing for the next age cyber war, but at the same time, is also exposing itself in a confrontational position amid its ongoing rivalry with China.


Leave a Reply