Exclusive: Another group of Indian hackers exposed on decade-long attacks against China
Published: Jun 16, 2022 10:59 PM
hacker Photo: VCG
Photo: VCG

A hacker organization of advanced persistent threat (APT) from India has launched a decade-long cyberattack campaign against targets in India and its neighboring countries including China, Antiy Labs, Chinese anti-virus services provider, told the Global Times exclusively on Thursday.

The group mainly targets social activists, social groups and opposition political parties in India, and also steals important intelligence on military and political targets in India's neighboring countries such as China and Pakistan, according to Antiy Labs. Traceability analysis indicates that the people behind the organization's operations may be located in the Indian Standard Time Zone.

Since 2012, the group has waged a decade-long cyberattack campaign against targets in India, as well as in its neighbor countries including China, the deputy chief engineer of Antiy Labs, Li Baisong, told the Global Times.

"Because its extemely dark methods of cyberattack and covert actions, we named the organization Dark Elephant," Li said.

Dark Elephant's primary attack method is phishing, sending messages to targeted users via email or stolen email accounts, tricking them into running its decoy files that use multiple Anti-AntiVirus techniques and contain sophisticated commercial remote Trojan loads.

According to Li, Chinese military and political targets have been attacked by Dark Elephant in the past.

On October 13, 2020, a suspicious email was sent to an important government department in China, using a Gmail email address with the subject line "Letter about the loss of a diplomatic package with sensitive files" and a link in the body to a website where the suspicious files could be downloaded. When the self-extracting decoy was executed, four Trojans viruses started running.

"This ParallaxRAT remote control Trojan is an open commercial remote control and is sufficient to support regular steganography operations," Li explained.

Dark Elephant is also behind the defamation of some social activists in India.

In January 2018, caste violence erupted in Bhima Koregaon, India, and the urban leadership of the Communist Party of India (CPI) was severely cracked down on by Indian officials during the unrest.

Rona Wilson, a prominent Indian social activist, became one of the defendants in the case which stemmed from the long-standing layout of the Dark Elephant organization to produce false electronic evidence, Antiy Labs found.

On June 13, 2016, Wilson received an email from one of his close friends requesting him to download and view an attached document. In fact, it was a Trojan file sent by hackers after stealing the sender's email account. The attackers performed a series of steganographic operations from Wilson's computer and were also able to remotely control his computer through the NetWire Trojan.

On April 17, 2018, Indian police, who claimed to have been tipped off by an informant, raided Wilson's home in New Delhi and seized incriminating "digital evidence" on a USB drive and computer hard drive.

In addition, a number of cyberattacks led by Dark Elephant against other Indian social activists have been monitored.

"The attackers have focused on targeting social activists, social groups and political activists from parties in India such as the CPI, creating false cases and defaming them," Li said, adding that "for military and political targets in other countries, the attackers' main objective is long-term infiltration and continuous theft of secrets."

Antiy's analysis of the cyberattacks, which are suspected to be originated in India, began in 2013. It has captured, analyzed, named and exposed several hacker groups so far.

"Over the nearly 10 years of attacks, the focus of cyberattacks in India has gradually shifted from Pakistan to China," Li told the Global Times.

"Such Indian agencies, not only extremely increased the frequency of cyberattacks on neighboring countries, but also widely used cyberattacks to deal with domestic social issues and defame their local social activists," Li remarked, highlighting that "this type of organization has a strong ability to act secretly and we should remain concerned and alert."