After one and a half years of investigation and analysis, a Chinese cybersecurity company found that an advanced persistent threat (APT) group based in India with a code name "Confucius", had launched fresh attacks on the Pakistani government and military institutions. 

Chinese cybersecurity company Antiy told the Global Times on Tuesday that the group's earliest attacks can be traced back to 2013. It mainly targeted governments, military and energy sectors of neighboring countries like China, Pakistan and Bangladesh to steal sensitive data.  

The group was named "Confucius" by international cybersecurity insiders. According to Li Bosong, chief engineer of Antiy, the group uses the command "Confucius says" to deliver its attacks.

"This means that the hackers have studied Chinese culture during their consistent attacks on China," Li said, noting that the group is good at using spear phishing e-mails and phishing websites, together with unique social engineering measures to attack targets.  

The group's actions are driven by political and economic profits. It steals core data or damages the key infrastructure facilities of its targets. Their attacks can have an real impact outside the network. 

According to Antiy CERT, it detected the group's attacks against Pakistani government and military facilities when it traced the attacks from the direction of the South Asian subcontinent since 2021. The group operates in the name of the working staff from the Pakistani government and sends targeted spear phishing e-mails. Once the recipients open or download the documents, Trojan horse programs are installed into the machine, stealing all the data.   

For example, Antiy found that in June 2021, the group used the malicious file with contents related to the list of those who died in the Pakistani army to conduct attacks and in February 2022, it used the file on vaccination status of Pakistani government staff to conduct attacks, according to Li. 
The hackers install different kinds of malicious software in spear phishing e-mails and trick the targets to open the links.

Antiy has fully analyzed the samples of the group's attacks and found that the hackers shared tools and codes with another APT group, SideWinder. 

It is common for Indian APT groups to share tools and codes. Previously, international cybersecurity companies revealed that the APT group codenamed "Confucius" also shared codes with other Indian groups like Urpage, Li said.  

The attacks have caught the attention of Pakistani authorities. The Pakistani National Telecom & Information Technology Security Board has issued a nationwide warning saying that hackers are sending spear phishing e-mails under the name of the prime minister's office, and called for officials and the public to stay alert and not to provide any information via e-mails or social media platforms.