Cyber warfare: a Bollywood special

India is expanding it's state-sponsored hacking and cyber espionage activity

ANALYSIS India is sometimes overlooked by some in the threat intelligence community, even though the South Asian nation has advanced cyber capabilities – not least a huge pool of talent.

The country boasts a large number of engineers, programmers, and information security specialists, but not all of this tech talent was put to good use, even before the Covid-19 pandemic cast a shadow over the global economy.

Their somewhat limited employment prospects are said to have created a swarm of underground Indian threat actors eager to show off their hacking talents and make money – a resource that the Indian government might be able to tap into in order to bolster its own burgeoning cyber-espionage resources.

India is in catch-up mode for now, but has the technical resources to make rapid progress.

Who is being targeted by Indian hacking groups?

Geopolitical factors have fueled an increase in cyber threat activity both originating from and targeting India.

Experts quizzed by The Daily Swig were unanimous in saying that the most important target of Indian cyber-espionage by far is Pakistan – a reflection of the decades-long struggle over the disputed region of Kashmir.

China, India’s neighbour and an ally of Pakistan, is also a top target of state-sponsored Indian cyber-espionage.

Paul Prudhomme, head of threat intelligence advisory at IntSights, told The Daily Swig: “Indian cyber-espionage differs from that of other top state-sponsored threats, such as those of Russia and China, in the less ambitious geographic scope of their attacks.”


RECOMMENDED H2C smuggling named top web hacking technique of 2020


Other common targets of Indian hacking activity include other nations of the South Asian subcontinent, such as Bangladesh, Sri Lanka, and Nepal. Indian espionage groups may sometimes expand their horizons further to occasional targets in Southeast Asia or the Middle East.

Indian cyber-espionage groups typically seek information on Pakistan’s government, military, and other organizations to inform and improve its own national security posture.

But this is far from the only game in town.

For example, one Indian threat group called ‘Dark Basin’ has allegedly targeted advocacy groups, senior politicians, government officials, CEOs, journalists, and human rights activists across six continents over the last seven years.


India at night timeA powerhouse of South Asia, India boasts a large number of engineers, programmers, and infosec specialists

How sophisticated are the techniques being used by Indian hacker groups?

India is currently considered to have a less mature cyber warfare armoury and capability than the ‘Big Six’ – China, North Korea, Russia, Israel, the UK, and US – but this may change over time since its capability is growing.

Chris Sedgwick, director of security operations at Talion, the managed security service spinoff of what used to be BAE System’s intelligence division, commented:

The sophistication of the various Indian cyber threat actors do not appear to be in the same league as China or Russia, and rather than having the ability to call on a cache of 0-day exploits to utilise, they have been known to use less sophisticated – but still fairly effective – techniques such as decoy documents containing weaponised macros.



Sometimes, simple social engineering attacks delivering a known commodity malware can be enough.


Morgan Wright, chief security advisor at SentinelOne and former US State Department special advisor, told The Daily Swig: “India’s growing offensive capability is still immature compared to China, North Korea, Russia, Israel, the UK and US. However, there is no shortage of people with advanced technical skills in India.”

With Covid-19 causing significant unemployment in India, it can be “safely assumed a portion of people with these skills will engage in cybercrime”, according to Wright.

“Ironically, tactics learned in committing cybercrime will be of value to the intelligence and military establishment in India as they develop and grow units to engage in cyber warfare and espionage,” he said.


India security


Assaf Dahan, senior director and head of threat research at Cybereason, told The Daily Swig: “The level of sophistication of the activity groups affiliated with India can vary; some groups have shown a high level of sophistication and use of advanced custom-built tools or advanced exploits, while others exhibited significantly less sophisticated capabilities.

“Sometimes a group might exhibit different levels of sophistication on different operations, based on the group’s needs and reasoning,” he added.

Dahan concluded: “Another point to remember: the level of sophistication isn’t always correlated with the success rate of the group’s operation or goals. Sometimes, simple social engineering attacks delivering a known commodity malware can be enough to get the threat actors what they want.”

What examples are there of Indian APT groups?

Recent attacks by Indian hacker groups:

  • The highly active cyber-espionage entity known as SideWinder has been plaguing governments and enterprises since 2012. A recently released report by AT&T Alien Labs shows most of SideWinder’s activity is heavily focused on South Asia and East Asia, with the group likely supporting Indian political interests.
  • The allegedly Indian state-sponsored group Dropping Elephant has been known to target the Chinese government via spear-phishing and watering hole attacks.
  • Viceroy Tiger has been known to use weaponised Microsoft Office documents in spear-phishing campaigns. Security researchers at Lookout recently went public with research on mobile malware attributed to the threat actors and rated as medium sophistication.

The level of direct Indian government involvement in some of these operations is contested.

Cybereason’s Dahan cautioned: “The line between ‘state operated’ or ‘state ordered’ can be rather fine, so it’s not always easy to link certain operations directly to an official government or military institution, especially due to the growing popularity of cyber mercenaries (hackers-for-hire).”

How might India expand its cyber warfare capabilities and defences?

Through an emerging initiative to provide technology education to 400,000 low-income students, India will significantly increase its cyber “bench strength”, according to Mike Hamilton, former CISO for the City of Seattle and co-founder and CISO of cybersecurity firm CI Security.

Hamilton predicted that a “cybercrime population will emerge [in India] and differentiate itself from nationalist motivations”.

Other experts reckon the flow of talent will run the other way and allow Indian to expand its cyber-espionage capabilities from the cohorts of cybercriminals.


Read more of the latest cybersecurity and hacking news from India


So-called ‘hacking-as-a-service’ (HaaS) enriches and expands the talent pool from which Indian cyber espionage groups recruit, according to threat intel firm IntSights.

“Jobs posted on the dark web are usually simpler attacks, such as compromising email passwords,” IntSights’ Prudhomme explained.

“Cyber-espionage groups, such as Dropping Elephant, Viceroy Tiger, and Dark Basin have begun to draw upon this talent pool and raised the bar for the sophistication of attacks.”


Geopolitical factors have led to an increase in cyber threat activity both originating from and targeting India

Is India increasing its cyber capabilities?

The Indian military has invested in cyber operations to get ahead of its adversaries.

In 2019, India consolidating its cyber forces by establishing the Defence Cyber Agency (DCA), a new tri-service agency for cyber warfare.

The DCA is said to have more than 1,000 experts who will be distributed into a number of formations in the Army, Navy, and Air Force.


Discover more infosec analysis from around the world


“This will almost certainly result in better utilisation of resources, a much clearer objective, and more sophisticated attack techniques through the sharing of best practice," according to Talion’s Sedgwick.

The DCA’s goal is to become capable of hacking into networks, mounting surveillance operations, and laying honeytraps.

“Their capabilities and the scope of their attacks are growing but are not yet on par with those of China or North Korea,” Prudhomme believes.

Which foreign threat groups are carrying out cyber-attacks on Indian entities?

There are numerous groups targeting Indian entities, many of them publicly reported.

Some groups that the Lookout Threat Intelligence team and others have tracked in the past include Stealth Mango and Tangelo, Transparent Tribe APT, and APT30, among others.

Just as Indian cyber-espionage groups target Pakistan’s government, military, and other organizations in search of political and military intelligence, Pakistani cyber-espionage groups do likewise against equivalent Indian targets for much the same reasons.

“Chinese cyber espionage groups also target India as a political, military, and economic rival and in support of the alliance between China and Pakistan,” according to IntSights’ Prudhomme.


YOU MIGHT ALSO LIKE Who is behind APT29? What we know about this nation-state cybercrime group