200% rise in cyberattacks from China in a month; India tops hit list post Galwan face-off

As per Cyfirma, a cyber threat intelligence firm, the conversation in the dark web expressing interest to hack Indian assets has increased substantially, and attacks are nearly up 200 per cent since the beginning of June


  • Cyberattacks from China are up 200 per cent in June as compared to May
  • PSUs are the prime targets for Chinese hackers
  • Indian agencies have alerted about possible large cyberattack from the Chinese army
The deadly fight between the Chinese and Indian military forces at the Galwan Valley has resulted in 200 per cent increase in cyberattacks from China towards India. Hacker groups in China are targeting Indian institutions like ministries, large businesses, and media organisations for attacks on their IT infrastructure.

As per Cyfirma, a cyber threat intelligence firm, the conversation in the dark web expressing interest to hack Indian assets has increased substantially, and attacks are nearly up 200 per cent since the beginning of June.

That's not all. India now tops the list of countries that are on the radar of Chinese hackers. "Since the border conflict at Ladakh, we are witnessing the Chinese hackers' communities becoming even more active. Typically, the US, Japan, Canada and Australia are the prime targets for Chinese hackers. But in the last six days, India has taken a lead whereby hackers are identifying assets, and going after them," says Kumar Ritesh, founder and CEO, Cyfirma.

ALSO READ: Notorious Chinese hackers attack Indian entities; Defence Ministry, Jio, Airtel, Cipla, L&T top targets

The nature of Chinese attacks is also getting sophisticated. For instance, if the hackers were defacing websites of these institutions earlier, they are now trying to exfiltrate data from servers that pose national security risks. "Imagine the impact of sensitive data leaks from SBI, Air India or Nuclear Power Corporation which are now the target entities for Chinese hackers," says Ritesh.

According to Cyfirma, a host of companies like SBI, ICICI Bank, Air India, LIC, Nuclear Power Corporation, Indian Oil, Reliance Jio, Amul, Karbonn Mobiles, HAL, Hero MotoCorp, Dabur, SAIL, Wipro, and others are being targeted by Chinese hackers.

Singapore-based Cyfirma noted that till about last week, the number of attacks was far lower and concentrated around just a few companies. But in just six days to June 23, the amount of attacks has grown manifold covering a wide variety of companies, especially more public sector units (PSUs). The hackers have also targeted central government ministries like ministry of foreign affairs, ministry of defence, and ministry of information and broadcasting with a motive of naming and shaming them.

Experts believe that the intensity of attack will remain high in the days to come. For instance, a June 21 advisory from central agency CERT-In says that the two million Indians are at the risk of cyberattacks. These individuals would be subjected to phishing campaigns from malicious actors who would use COVID-19 bait for their attacks. In addition, the Indian security agencies have alerted about a possible cyberattack from the Chinese army.

ALSO READ: China-sponsored hacker groups could target Indian businesses, media, govt

Chinese state-sponsored hacking groups are one of the largest in the world. They first started in 1990s and have grown bigger over the years. Chinese threat actors supported by the state government includes scientists and hacktivists. These groups are made up of intelligence operatives and patriotic hackers.

"The telemetry shows more targets have been identified, the scale has expanded, and more compromised IP (internet protocol) addresses have been discussed as vulnerabilities for technical exploits," says a June 23 note from Cyfirma. The firm has analysed that these attacks are attributable to Chinese hacking groups 'Gothic Panda' and 'Stone Panda' who have close links with the Chinese government. Gothic Panda specialises in targeting strategic sector; Stone Panda, on the other hand, has expertise in stealing trade secrets and supply chain information.

"Our research has uncovered a clear set of IOC [indicators of compromise] which are predominately used for hosting Command and Control centre, malware, and malware hashes...We strongly recommend CERT-IN to send out a public advisory to all given the scale of the potential cyberattacks. The impacted organisations should monitor and block these IP addresses and hashes immediately," Cyfirma note says.

ALSO READ: Ageing devices biggest threat to cybersecurity as work from home becomes norm