In 2013, Mandiant/Fireye discovered that APT1 has been conducting cyberespionage operations since 2006. The cyberespionage operation affected or targeted at least 141 organizations across 20 major industries – ranging from IT and Transporation to Engineering Services and Chemicals – primarily in English-speaking countries, including the U.S. (115 multinationals), India (3), Singapore (2). Possibly linked to the ShadyRAT campaign, which McAfee discovered in 2011, the campaign may have also affected India, Indonesia, Vietnam, Japan, Denmark, and Germany. Given that the largest targets of cyberespionage were private entities, it is very much possible that the APT has stolen vast amounts of commercial secrets that relate to multiple sets of economic sectors and industries.

The perpetrator was suspected to be APT1 and ShadyRAT, two possible sets of hacking groups that may have some affiliations with the Second Bureau of the Third Department of PLA’s General Staff Department.
‍
There was a rise in attacks after 2010. Of note, 13 out of 16 IT organizations attacked are from 2010-2012. Most incidents across the board also seem to occur after 2010. It may be closely tied to the 12th Five-Year Plan (2011-2015), which is a cyclical strategy document by the CPC leadership that steers the general direction of economic initiatives: namely next-generation information technology, high-end equipment manufacturing, alternative energy, and new materials. Fundamentally, in launch occurred not long after the 2006 National Medium- and Long-Term Plan For the Development of Science and Technology, China laid out its goals to reduce its dependence on the West for advanced technologies, and on the U.S. and Japan in particular.

Mandiant; McAffee

The U.S. Department of Justice indicted five Chinese military officers associated with this hack.

High Confidence (9 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

Operation Cloud Hopper is one of the largest sustained global cyber espionage campaigns. The operation has been traced back to at least 2016 and has targeted managed IT service providers, thus acquiring potentially unprecedented access to IP and sensitive data of those MSPs as well as their clients across the globe. Some of these targets compromised include Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, DXC Technology, Ericsson, and IBM (see Operation Cloud Hopper). A wide range of sectors were affected, ranging from telecommunications to mining. The suspected targets of these operations were those that aligned with China’s national security and “Made in China” goals, focused primarily on valuable military and intelligence information as well as confidential business data. PwC, in cooperation with BAE Systems and the UK’s National Cyber Security Centre, attributed the attacks to APT10, a China-based hacking group. Symantec, similarly, found an advanced persistent threat campaign targeting companies in multiple sectors across 17 regions in Japan. This campaign was also attributed to Cloud Hopper (which they called Cicada).

Several countries, including the US and Australia, attributed Operation Cloud Hopper to a hacking group that has backing from the Chinese state.

PwC, Symantec, Governments of US, UK, New Zealand, and Australia

The U.S. Government held the Chinese government accountable for these campaigns, including indicting suspected hackers. Britain, Australia, and New Zealand also made formal statements indicating that APT10 was acting on behalf of the Chinese government. However, Chinese authorities have denied supporting or directing APT10

High Confidence (10 out of 12

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are known to be the dominant targets of intrusion (3 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives. (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

In March 2021, Reuters published a report citing data and officials from cyber-intelligence firm Cyfirma that two major Indian vaccine and pharmaceutical manufacturers, Serum Institute of India and Bharat Biotech, experienced hacking attempts against their IT systems from China-based APT ‘Stone Panda’, also known as APT10. Cyfirma’s CEO, Kumar Ritesh, told Reuters that ‘The real motivation here is actually exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies.’ Citing SII’s weak web server capacity, weak web application and content management system, Ritesh pointed out the threat faced by the lax security of these manufacturers.

‍

Given that tensions between India and China have been simmering in the aftermath of the Galwan Valley clash of June 2020, China-based and state-affiliated APTs has been launching repeated cyberattacks in key sectors of India, and the 2021 incident indicates that the attack on India’s health sector is strategic. This is a clear case of cyber-espionage as India, which supplies 60% of the world’s vaccine demand and is known as the “pharmacy of the world,” maintains access to IP pertaining to vaccines such as AstraZeneca, Novavax and COVIN.

‍

In 2018, the US Department of Justice announced that APT10 has, in the past, worked in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.

Cyfirma (published in a report by Reuters)

Cyfirma reported through Reuters that they informed the Indian Computer Emergency Response Team (CERT-In) of the threat and the CERT “acknowledged it;” No comment from SII and Bharat Biotech; SS Sarma of CERT-In

Very High Confidence (11 out of 12)

• Private entities are either the sole or the primary targets of intrusion. (3
• Commercial data are known to be the dominant targets of intrusion. (3
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives. (3)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2)

Dubbed “Operation Pzchao” by Romanian cybersecurity firm Bitdefender, this cyber campaign targeted government institutions, as well as private firms in the technology, education, and telecommunications sector that are primarily based in the U.S., though with also some cases in several other countries. Bitdefender attributed the attack to Emmisary Panda, a China-based threat group active since 2010. The group has been suspected of conducting espionage operations on civil society organisations and governments deemed critical of the PRC, including advocacy organisations on Taiwan and Tibetan independence. While this threat group’s focus has traditionally been on political espionage, we suspect – with moderate confidence¬ – that this attack had possible economic objectives as well. Initiated in July 2017, this cyber incident came against the backdrop of developments in China’s technology and telecommunications sector, including Beijing laying out a development plan to become the world leader in AI by 2030. The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

Bitdefender

None

Moderate Confidence (7 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• No clear information if commercial data is targeted (1 point)
• APT actor has some history of stealing IP and other commercially valuable data (2 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

From January 2020 until 2021, cybersecurity firms detected a massive cyberespionage campaign targeting private entities. These campaigns were conducted in three clusters. First, from January to March 2020, there was a broad campaign against 75 private entities in 20 countries, with a focus on industries ranging from petrochemicals to defense industrial base. Mandiant notes that while it’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, the victims appear to be more targeted in nature. The economies affected were Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA.

Second, in September 2020, hackers associated with APT41 were charged by the U.S. Department of Justice in connection with computer intrusion campaigns against more than 100 victims globally, including in Indonesia, Malaysia, Thailand, and Vietnam. The entities affected were those that specialize in software development, manufacturers, telecommunications, non-profit, universities, and civil society organizations.

Third, from July 2020 until August 2021 (ongoing as of then), Trend Micro observed an espionage campaign against victims in India, m, Malaysia, Philippines, Taiwan, and Vietnam in the airline, computer hardware, automotive, infrastructure, publishing, media, and IT industries.

US Government, Mandiant; Trend Micro

In second incident, U.S. Department of Justice indicts seven individuals (two arrested, five remaining)

High Confidence (9 out of 12)

• Private entities are a majority of known sectors targeted in the intrusion (2 points)
• Commercial data are likely to have been targeted (2 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

Lazarus Group is a known hacking group with close affiliations to the North Korean government. The group consists of a wide range of smaller hacking operations that have affiliations with either North Korea’s Ministry of State Security and the Reconnaissance General Bureau (GRB). The Lazarus Group’s attacks are driven by a series of motivations, including financial gain and political and economic espionage. They have conducted a series of cyber operations across Southeast Asia, Latin America, and India, some of which are listed below:

On September 4, 2019, Pukhraj Singh, an employee of India’s National Technical Research Organization (NTRO) and an independent Indian cyber security professional, informed the National Cybersecurity Coordinator that there is a cyber intrusion detected at the KNPP and ISRO right around the time of Chandrayaan-2’s final descent, after being tipped off by a third party. He had later also declared the same on his twitter handle on October 28, 2019. Soon after his disclosure, Indian media caught fire and propagated his message intensely. In response, on October 29, the Nuclear Power Corporation of India Ltd. and the KNPP authorities issued a statement dismissing Pukhraj Singh’s warning as “false information.” Just a day later, on October 30th, however, the NPCIL issued another statement confirming that a malware attack has indeed been faced by KNPP, and that the matter was conveyed to them by CERT-In on September 4, 2019.

Because the Russian government undertook the KNPP project in collaboration with the Government of India, not only were DAE specialists investigating the matter within India, Deputy Chief of the Russian Embassy Roman Babushkin also said, “The Russian authorities are working with Indian agencies to stop any further attacks.”

The attribution for the campaign was made by several security researchers, who identified the malware as a version of Dtrack, a backdoor trojan developed by the Lazarus Group, North Korea's elite hacking unit. Kaspersky Labs, a Russian cybersecurity company, had also said in September 2023 that banks, ATMs and research institutions were already being targeted by DTrack throughout the year of 2019, and the attack witnessed by ISRO and NCPIL could just have been a part of this larger campaign.

In November 2019, as India’s Chandrayaan-2 mission was underway, CERT-In issued an alert to ISRO to beware of a possible cyber attack on its system through phishing emails sent to senior officials. The emails were loaded with malware which had the potential to hijack the email identity of the recipient and in turn be used to send mails to juniors. A month prior, in October 2019, the Nuclear Power Corporation of India’s Kudankulam nuclear plant also witnessed a similar cyberattack. The Corporation acknowledged that one of the computers on its administrative network was struck by a malware known as ‘DTrack’. Although it is not confirmed if the attack on ISRO systems also used DTrack, the APT actor has been identified as the North Korean Lazarus Group. In ISRO’s case, officials confirmed through media reports that no systems were compromised. Yash Kadakia, founder of Mumbai-based cybersecurity firm Security Brigade, also said that he had evidence of emails with malware sent to the five government agencies that same year.

Sohn Young-dong, a defense expert at Hanyang University in Seoul, said that Pyongyang may be using the nuclear technology attacks to overcome its own energy crisis, as well as aiming to "sell such information to countries" like Iran.

In April 2023, Kaspersky lab, a threat intelligence enterprise, highlighted that for many months till January 2023, they have observed a Lazarus Group campaign in India that has deployed version 2.0 of BLINDINCAN malware by leveraging an open-source UltraVNC backdoored client. The features of this updated version of BLINDINCAN include plug-in based expanding capabilities, while also retaining features of the previous version, such as C2 communication, encryption methods and infection procedure. Once executed, the applications the payload has compromised would work normally but would covertly be collecting victim information and transferring it to the Command and Control servers of the malware.

The US Department of Justice has claimed that the group is part of the DPRK government’s strategy to ‘undermine global cybersecurity…and generate illicit revenue in violation of…sanctions.’

Indian Computer Emergency Response Team (CERT-In), made public by unnamed ISRO official; Kaspersky Lab

Intervention by CERT-In through notification to ISRO; reported nipping of attack in the bud

Initially, on 29 October 2019, Kundankulam Nuclear Power Project corporation issued a statement claiming that information pertaining to such a cyber attack are “false information” circulation on social media and in electronic and print media; just a day later in 30 October 2019, Nuclear Power Corporation of India Ltd. issued a statement confirming that identification of malware in NPCIL system is correct. The latter statement also said that data specialists are now investigating the matter.

‍

High Confidence (8 out of 12)

• Organisations with commercial data have been targeted in intrusions (1 point)
• Commercial data are likely to have been targeted (2 points)
• APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
• No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)