Watermain APT Attackers Target India Over Border Disputes

Written by

Security researchers have discovered a large scale, advanced attack targeted mainly at Indian organizations and dating back to 2011.

According to security firm FireEye, the group behind the attack is most likely based in China. The group has spent that past four years sending spearphishing emails containing malicious Microsoft Word attachments to targets in India (70%), as well as Tibetan activists and those in other Asian nations including Nepal, Bangladesh and Pakistan.

The goal of the attackers appears to have been to lift information on border disputes and other diplomatic affairs from government, diplomatic, scientific and educational organizations.

The spearphishing lure itself contained information on regional issues and was designed to insert a backdoor on victim machines with a view to covertly exfiltrating sensitive data.

FireEye has named the campaign “Watermain” after the script it discovered which is designed to place backdoors on victim machines.

There are approximately 100 victims so far, it claimed.

“Collecting intelligence on India remains a key strategic goal for China-based APT groups, and these attacks on India and its neighboring countries reflect growing interest in its foreign affairs,”   said Bryce Boland, FireEye’s APAC CTO, in statement.

“Organizations should redouble their cyber security efforts and ensure they can prevent, detect and respond to attacks in order to protect themselves.

It’s increasingly common to find probable nation-state actors targeting Indian organizations. In April 2015, FireEye laid bare the work of APT30, one of the oldest threat groups of its kind which infiltrated an aerospace and defence company in India, as well as many other targets.

The group, which registered domains as far back as 2004, was specifically interested in regional political, military, and economic issues, as well as information on disputed territories, and media organizations which report on topics related to China and the government’s legitimacy.

It was also notable for having used – way back in 2005 – components designed to infect USB drives in order to cross air-gapped networks and steal data.

What’s hot on Infosecurity Magazine?