Cyberattack campaign targets India, SEA nations

Likely to originate from China, the hacker group embeds a "Watermain" script into Microsoft Word documents to create backdoors into infected machines, reveals security vendor FireEye.
Written by Eileen Yu, Senior Contributing Editor

A hacker group that appears to be residing in China has been targeting India and Southeast Asian nations in a bid to extract information about ongoing border disputes and other diplomatic issues.

Describing the hackers as part of an APT (Advanced Persistent Threat) group, cybersecurity vendor FireEye said the attack campaign had been ongoing since 2011 and targeted more than 100 victims, 70 percent of which were in India.

The group would send spearphishing e-mails attached with Microsoft Word documents containing a script, called Watermain, which would create backdoor on infected machines. FireEye also detected the attacks in April 2015, a month ahead of India's premier Narendra Modi's first state visit to China.

The hacker group had modified their approach over the past four years and, today, primarily relied on an exploit from 2012, a FireEye spokesperson told ZDNet. Organizations in the region that continued to operate systems without patching against such known exploits were easy victims, he said.

He pointed to a previous FireEye report, APT30, in which a decade-long cyber espionage campaign managed to breach an aerospace and defence company in India, among others. "That group wasn't particularly sophisticated in its approach, using similar tools for a decade," the spokesperson explained.

He said the security vendor was unable to determine how many of the attacks launched against the 100 victims were successful and would not provide details on which Southeast Asian nations were targeted.

According to FireEye, the hackers had used Watermain to attack Tibetan activists and other targets in Southeast Asia, focusing on organizations across the government, science, and education sectors. Its Asia-Pacific CTO Bryce Boland said: "Collecting intelligence on India remains a key strategic goal for China-based APT groups, and these attacks on India and its neighbouring countries reflect growing interest in its foreign affairs."

The FireEye spokesperson added: "To defend against such targeted attacks, organisations should be patching their systems and need to be able to detect advanced attacks not seen before. When intrusions do occur, they need to be able to detect them and respond quickly to prevent data breaches. This takes a combination of technology, expertise and threat intelligence. These kinds of attacks aren't detected by legacy security systems."

Editorial standards