FireEye: Chinese Hackers Likely Targeting India

A new report from California-based Internet security company FireEye says that a cyberespionage group likely based in China has been targeting government and academic organizations in India, a country whose cyberdefense capabilities are relatively undeveloped. The attacks allegedly began just prior to Indian Prime Minister Modi’s premier state visit to China earlier this year. While the hacks in question didn’t carry same telltale signs that grant credence to suspicion that Chinese cyberspies were behind previous attacks on foreign organizations—such as identical IP addresses being used in separate cases—the sensitive diplomatic information suggests that China may be responsible. The Washington Post’s Simon Denyer reports:

“It is most likely Chinese,” said Bryce Boland, FireEye’s chief technology office for Asia Pacific, in an interview. “We don’t have a smoking gun, but all roads lead to China.”

[…] The group sent targeted spear-phishing e-mails to its intended victims, with Microsoft Word attachments containing information on regional diplomatic issues, FireEye said.

The attachments contained a script called “WATERMAIN” that, if opened, could infect the user’s computer, creating a “backdoor” that would allow the attacker access.

[… The WATERMAIN script appeared to have been designed for Chinese-speaking users, Boland said, and targeted information of interest to the Chinese government. Attacks were seen on government bodies as well as diplomatic, scientific and educational institutions in Asia.

In April, FireEye said it had identified another cyberespionage group, also suspected to be based in China, that has been running a decade-long campaign to spy on and Southeast Asia. […] [Source]

FireEye’s findings suggest that hackers in China have been targeting India-based Tibetan activist and exile groups for at least four years. James Griffiths reports at the South China Morning Post:

“Over the past four years, this threat group has [targeted] over 100 victims, approximately 70 per cent of which were in India,” [FireEye…] said in a statement.

It “also targeted Tibetan activists and others in Southeast Asia, with a focus on governmental, diplomatic, scientific and educational organisations.”

[…] Beijing has viewed Tibetan groups in India with suspicion ever since the Dalai Lama fled China in 1959 to establish the Central Tibetan Administration, more commonly known as the Tibetan government-in-exile, in Dharamsala.

[…] In April, FireEye reported that a separate Chinese team, APT30, had been spying on governments and businesses in Southeast Asia and India uninterrupted for a decade, echoing claims made by researchers at US firm McAfee in 2011. [Source]

While the Chinese government has long been suspected of targeting exiled Tibetans and exiled Uyghur groups, Beijing has consistently denied any state-sponsored hacking. For more on this, see the short documentary “Tibet: Frontline of the New Cyberwar” from the Action Institute, or the Citizen Lab’s 2009 report “Tracking GhostNet: Investigating a Cyber Espionage Network.”

China faced (and denied) allegations of involvement in a high-profile hacking cases against U.S. government computer systems in June.