Cyber threat

Chinese cyber security firm says ‘Confucius’ hacker group targetting Pakistani sites

Cyber threat


Chinese cyber security firm has claimed that a hacker-group operating out of India under the code name ‘Confucius’ is behind several cyber-attacks against Pakistani targets.

According to the Chinese cyber security firm Antiy Labs, the group’s first attacks date back to 2013. To steal critical data, it has mostly targetted governments, armed forces and energy sector entities of neighbouring states, including China, Pakistan and Bangladesh. International cyber security experts have nicknamed the group ‘Confucius’ because it uses the command “Confucius says” when launching an attack.

The gang is skilled at employing spear-phishing emails, phishing websites and specific social engineering techniques to attack various targets. It is reasonable to conclude that they have studied Chinese culture during their repeated attacks on China. Profits from politics and the economy motivate the group’s behaviour. It either steals vital information from its targets or tries to destroy important infrastructure. The strikes may actually affect the outside world. When Antiy CERT traced the attacks from the direction of the South Asian subcontinent starting in 2021, it claimed to have discovered the group’s strikes targetting government and military sites in Pakistan.

Targetted spear phishing emails are sent from fake government addresses. Trojan horse programs are installed on the host computers after the recipients open or download the documents.

For instance, Antiy discovered that the group carried out attacks in February 2022 using a malware file containing information about the “vaccination status of government employees”. In June 2021, the attackers used another file containing “a list of those who died in the Pakistan Army”. To fool their targets into clicking the links in spear-phishing emails, the hackers include various forms of malware. Antiy has thoroughly examined the attack samples from the group and discovered that the hackers collaborated with SideWinder, another advanced persistent threat (APT) group, to swap tools and scripts. Indian APT groups frequently exchange tools and codes. International cyber security firms had previously disclosed that the APT group known as ‘Confucius’ had also exchanged codes with other Indian outfits like Urpage.

The hacker group carried out attacks in February 2022 using a malware file containing information about the “vaccination status of government employees”. In June 2021, a similar file containing information about a list of those who had “died in the army” was used. To fool their targets into clicking the links in spear-phishing emails, the hackers include various forms of malware.

Authorities in Pakistan have taken notice of the attacks. In a nationwide alert, the Pakistani National Telecom and Information Technology Security Board warned that hackers are sending spear phishing emails with the name of the prime minister’s office as the sender. It urged officials and the general public to remain vigilant and avoid sending any personal information via email or social media. The gang has so far mainly targetted governments, armed forces and energy industries in neighbouring states, including China, Pakistan and Bangladesh. The purpose of the attacks has been illegal collection of important data. The report categorises the hackers as an APT, which is primarily a hacking gang that persistently attacks specific targets.

Chinese media outlets have claimed that India uses the APTs in conjunction with state intelligence to wage cyber warfare against China and its neighbours in South Asia. It is not the first time that New Delhi has been accused by China’s official media of attacking the militaries and administrations of several South Asian nations. The Chinese official media reported in November 2022 that the Indian hacking collective ‘Evil Flower’ had carried out many cyber-attacks on military and governmental organisations in China, Pakistan and Nepal.

The Indian government is said to be supporting this group, along with some others including the ‘Lure of Beauty’ and the ‘Ghost War Elephants.’ The Chinese claim that these ‘state-backed’ hackers have attacked the Chinese military operations and administration in several South Asian nations.

Chinese media have claimed that the ‘Evil Flower’ and other APTs broke into sensitive Chinese networks via phishing techniques. According to Antiy Labs, “Since March, we have discovered various phishing activities targetting government, defence and military units, as well as state-owned organisations in China, Pakistan and Nepal.”

It has been claimed that these hackers have been attacking China continuously since 2019 and have utilised techniques like spear phishing that involves online impersonation. The paper, however, does not explain how ‘Evil Flower’ had managed to get away with these operations for two years, despite the fact that cyber security, data privacy and cyber-infrastructure have received increased attention since President Xi Jinping called for the same in his speech in 2014.

Beijing has reportedly received advice from Chinese specialists to strengthen its cyber security measures, conduct drills and protect data moving across borders to defend it from potential assaults. The Chinese government has also received public advice from its cyber security experts to set up a thorough reporting system in the event of an attack.

The director of the Institute of China Cyber Base Plan in Beijing has also claimed that these Indian-backed cyber-attacks are a component of India’s containment strategy for China. The Indian cyber-attacks are seen as a component of a larger plot by New Delhi to undermine China’s national security.

The writer is a researcher   currently pursuing a PhD

Cyber threat