China fears hackers, but they are not from the US

Chinese cyberattacks are often talked about in the West, but the Chinese are also afraid of the Indians. A number of cyberattacks from India have been highlighted in recent reports by Chinese cybersecurity firms, with attacks targeting China and Pakistan, among others. There are no official statements yet from the Indian and Pakistani foreign ministries, as reported by SCMP.

A cyber attack on the Chinese military, intercepted by a Chinese cybersecurity organization in December, is believed to have been orchestrated by an Indian hacker group. The attack bore remarkable similarities to previous ones in terms of targets and methodologies, suggesting the involvement of the same group.

This group, identified as an “advanced persistent threat” (APT) and active since at least November 2013, was first discovered and named “Bitter” by U.S. security firm Forcepoint and “Manlinghua” by Chinese company Qihoo 360 in 2016.

Definition of Advanced persistent threat, i.e., persistent and deep attack intended for data mining and system manipulation

Cybersecurity analysts suspect the group’s origins trace back to India, potentially with state support, based on IP address locations and language patterns observed in the attacks. In addition, Bitter is believed to be linked to several other groups suspected to be Indian, including Patchwork, SideWinder, and Donot. The group’s motives, according to SCMP reports, are primarily political, as the hackers were primarily interested in military and security-related elements, including nuclear.

“Contrary to the popular belief that China’s cyber threats come mainly from the United States, professionals in the field point out that a significant number of attacks come from South Asian countries,” said a Beijing-based security expert involved in the investigation of the attacks, who asked not to be named because of the sensitivity of the issue.

China and India, the world’s two most populous nations, have a complex relationship. On the one hand, they are marked by border disputes and ongoing conflicts, but on the other, they are also marked by increased bilateral trade.

Chinese authorities normally do not comment on attacks, partly to avoid revealing their own fragility.

How Bitter works

Bitter employs two main attack strategies: spear phishing and watering hole attacks.

Spear phishing involves sending targeted individuals documents or decoy links via e-mail that, when opened, distribute Trojans to download malicious forms, steal data, and allow further instruction from attackers.

Waterhole attacks compromise legitimate websites to host malicious files or create fake websites to entrap victims, usually centered on content of interest to the targeted person, such as software tools shared in forums.

“Although the technique is not the most sophisticated, Bitter’s customized and varied approaches to different targets have proven effective. Just as in the case of telecommunications fraud, although many methods are simple, people are still deceived every year,” said the anonymous expert. In the end, one part of Humint, the human touch, is always the winning element.

Bitter operations, focused primarily on information gathering, may not seem destructive on the surface, but they can lead to significant information breaches with immeasurable consequences.

According to disclosures by cybersecurity companies such as Anheng, QiAnXin, Intezer, and Secuinfra, there were seven attacks in 2022 and eight in 2023 closely related to Bitter, targeting Pakistan, Bangladesh, Mongolia, and China.

These attacks ranged from impersonating the embassy of Kyrgyzstan to sending emails to China’s nuclear industry. Hackers also posed as military contractors offering anti-drone systems to the Bangladesh Air Force and even exploited compromised e-mail accounts to spread malicious files under the guise of New Year’s greetings.

Given the wide network of operatives involved, it is likely that many cases of hacking have not even been caught yet and that, in fact, many of these operatives have already infiltrated state-owned facilities and companies without being caught.