Over the last seven months of the coronavirus pandemic, online threat actors have been ramping up their attacks against India. The motivation behind these attacks varies from financial gain to reputational damage

CYFIRMA's research shows hackers keen to breach India's firewalls originate primarily from China, Pakistan, and North Korea.

India is not only facing threats from foreign actors on land but also in the digital world. India's geopolitical situation, especially with respect to Pakistan and China, has been under severe stress over the past six months.

As a result, state-sponsored actors and financially motivated hackers are now looking at India's government agencies and Indian companies as their next target, according to the India Threat Landscape Report 2020.

CYFIRMA's research shows hackers keen to breach India's firewalls originate primarily from China, Pakistan, and North Korea.

However, not everyone stepped into the field with the same objective. Some hackers are looking to make a quick buck, while others are keen to do some long-lasting damage by stealing trade secrets and intellectual property.

Here’s a quick look at the cyber threat campaigns currently targeting India and what they’re after:


Who Is The Lazarus Group? A North Korean threat actor group has increased its activities in the aftermath of the coronavirus outbreak, particularly when it comes to ‘file less’ attacks, spreading new malware samples, and attacking cryptocurrency businesses, among others.

Targeted Countries: India, Japan, Singapore, South Korea, the US, and the UK.

Tactics, Techniques, And Procedures: Phishing attacks, credential harvesting, impersonation, website spoofing, and data exfiltration 

Motive: Using phishing emails that look as though they were sent by the local authorities in charge of dispensing government-funded COVID-19 support initiatives, the hackers try to drive recipients to fake websites where they can be tricked into divulging personal and financial information.

Evidence: Cyfirma was able to intercept seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance, and others.

Known Email IDs Used By The Lazarus Group:

ncov2019@gov.in fppr@korea.kr

Campaign By Stone Panda

Who is Stone Panda? Stone Panda — also known as APT10, menuPass, and Cloud Hopper — is a Chinese threat actor group that has traditionally shown interest in stealing international trade data and supply chain information for big companies.

Targeted Countries: Multinational companies in India, South Korea, and Japan.

Tactics, Techniques, And Procedures: Phishing attacks to install malware, leveraging Web and SLL based vulnerabilities, and employing tactics that use tools or features that already exist in the target environment.

Motive: The primary motive is data exfiltration. This is when hackers try to steal intellectual properties, copyrights, and trade secrets as part of corporate espionage activities to cause operational disruption and reputational damage.

Evidence: “As per the latest information gathering, we have observed certain activities where attackers launched passive scans towards an organization’s assets, which we believe to be in the reconnaissance and enumeration phase of a long-planned hacking activity,” said Cyfirma in its report.


Who Is APT36? APT36 — also known as Operation Transparent Tribe, Project M, and Mythical Leopard — is a Pakistan government-backed hacker group that has targeted Indian diplomats in the past. Pakistan's conflict with India has been ongoing, and APT36's activities are a continuity of those hostilities.

Targeted Countries: India

Tactics, Techniques, And Procedures: Phishing emails that typically contained bogus health advisories on coronavirus. Victims who click on the attached document activate malware that gives the hacker access to sensitive and important information

Motive: The main objective of the group so far has been to collect sensitive data like emails, passwords, and location data.

Evidence: In 2020, this threat actor was noticed to have impersonated the Indian government to send malware emails to victims, mostly Indians. Additionally, several other intrusions have been detected, including a spear phishing campaign aimed at computers belonging to the Indian Railways.


Who Is Mission2025? Mission 2025 is probably the most reclusive out of the entire list of threat actors targeting India. It is suspected to be a Chinese state-sponsored actor, according to Cyfirma.

Targeted Countries: India, the US, the UK, Japan, France, South Korea, Hong Kong, and Thailand

Tactics, Techniques, And Procedures: Mission2025 has been noted implanting trojans and backdoor access to steal sensitive information from organisations as a part of their cyber-espionage campaigns.

Motive: The suspected motive behind these campaigns is to assist local Chinese companies as part of the "Made in China 2025" vision. This includes everything from the theft of intellectual property to stealing trade secrets. The end-game could also vary from information exfiltration to corporate espionage or just plain and simple financial gain.