Initially, Rapid Action Battalion (RAB), Cisco Talos had referred to the Advanced Persistent Threat (APT) group as having its origins in South Asia. However, Chinese security experts are now alleging the group is of Indian origin

A security expert has said while many think the US poses the biggest cybersecurity threat to China, a lot of attacks come from South Asia. One India-based group of hackers, known as ‘Bitter’, has used various methods to target government, military and nuclear sectors

A series of cyberattacks originating from India have been highlighted in recent reports by Chinese cybersecurity firms, with the attacks targeting China and Pakistan, among others.

So far, the foreign ministries of China and India have not issued any responses.

One cyberattack on the Chinese military, which was intercepted by a cybersecurity organisation in China in December, was believed to be orchestrated by a group of hackers from India. The attack bore striking similarities to previous ones in terms of targets and methodologies, suggesting the involvement of the same group. This group, identified as an advanced persistent threat (APT) and active since at least November 2013, was first discovered and named “Bitter” by American security firm Forcepoint and “Manlinghua” by Chinese company Qihoo 360 in 2016.

Over that time, the increasing exposure of Bitter’s activities has shed light on its political motives, as it primarily targets Pakistan and China, and focuses on government agencies, military and nuclear sectors.

Cybersecurity analysts suspect the group’s origins trace back to India, potentially with state support, based on IP address locations and linguistic patterns observed in the attacks. Moreover, Bitter is believed to be connected with several other groups that are suspected to be Indian, including Patchwork, SideWinder and Donot, among others.

“Contrary to popular belief that China’s cyber threats mainly come from the United States, professionals in the field point out that a significant number of attacks originate from South Asian countries,” said a Beijing-based security expert involved in the investigation of the attacks, who requested not to be named due to the sensitivity of the issue.

Amid the cyber offensives, China’s foreign ministry has consistently refrained from public condemnation.

Similarly, the foreign ministry in India has not commented, though Indian media has occasionally criticised Chinese cyber intrusions, such as a December 2022 report by Outlook India alleging Chinese hackers targeted Indian medical research institutes and power grid infrastructure.

Bitter employs two primary attack strategies: spear phishing and watering hole attacks.

Spear phishing involves sending targeted individuals bait documents or links via email, which, when opened, deploy Trojans to download malicious modules, steal data and allow further instructions from the attackers.

Watering hole attacks compromise legitimate websites to host malicious files or create fake websites to trap victims, usually centred on content of interest to the target person, such as shared forum software tools.

“Despite not being the most sophisticated in technique, Bitter’s customised and varied approaches to different targets have proven effective. Just like telecommunications fraud, although many methods are simple, people are still fooled every year,” said the anonymous expert.

Bitter’s operations, primarily focused on intelligence gathering, may not appear destructive on the surface, but can lead to significant information breaches with immeasurable consequences.

According to disclosures by cybersecurity firms including Anheng, QiAnXin, Intezer, and Secuinfra, there were seven attacks in 2022 and eight in 2023 closely linked to Bitter, targeting Pakistan, Bangladesh, Mongolia and China.

These attacks varied from impersonating the Kyrgyzstan embassy to sending emails to the Chinese nuclear industry. Hackers also posed as military contractors offering anti-drone systems to the Bangladeshi Air Force and even exploited compromised email accounts to spread malicious files under the guise of New Year greetings.

“Given the broad net these attacks cast, it’s likely that such incidents are continually occurring in the background,” the expert said.

“When assessing the impact of cyberattacks, the focus is on the targets and consequences. Sometimes, sensitive industry victims cannot disclose breaches, and at other times, only traces of hackers’ activities are detected without direct losses,” he added.

“The actual harm caused by Bitter is difficult to quantify with the reported incidents. In most cases they cause little harm, but under certain circumstances, the incident represents just the tip of the iceberg of potential risks.”

This article first appeared in the China based South China Morning Post