India’s APT Group and Hacktivist Trends: Geopolitical Cyber Threat Analysis
Summary
21st-century cyberspace has become a new battleground for conflicts between nations. Especially, India is emerging as a hub for cybersecurity amid rapid digitalization and geopolitical tensions. India strengthens its cyber defense to protect its technological capabilities and information infrastructure, while sometimes expressing conflicts with neighboring countries through offensive cyber strategies. This article examines major cyberattack cases in India, activities of APT groups linked to India, and the movements of hacktivists surrounding India.
Indian Threat Actors
India's APT groups and hacktivists primarily target Pakistan, but some also carry out attacks on various countries.
1) APT Groups
India's APT groups have been targeting Pakistan and China since 2010, and recently, it has expanded its targets to neighboring countries. They primarily use spear phishing to deliver malware and are attacking using malicious Android apps disguised as chat apps, among others.
|
APT Group |
Emergence |
Target |
Details |
|
Bitter |
2013 |
Government agencies, energy, high-tech industries, universities, and defense industries in China, Pakistan, Saudi Arabia, and other countries |
Spear phishing and exploitation of document vulnerabilities Malicious files in various formats, such as PUB, PDF, CHM, LNK, and searchConnector-ms, are sent via email |
|
Patchwork |
2015 |
Industries related to Pakistan's diplomatic and national institutions, U.S. think tanks |
Attempt at long-term infiltration through social engineering-based phishing and backdoor installation Most malware is used as is from what is distributed on online forums |
|
SideWinder |
2012 |
Government agencies and the energy, defense, mineral, and logistics sectors in several countries, including China, Bangladesh, Pakistan, India, Afghanistan, Nepal, Sri Lanka, and Egypt |
Spear phishing and document-based malware are the main attack vectors Attacks using vulnerabilities in malicious LNK files and Office document files (CVE-2017-0199, CVE-2017-11882) |
|
Viceroy Tiger |
2015 |
Pakistan's manufacturing and defense industries |
Phishing attacks characterized by the use of malicious documents and Android malware. The attack involves LNK files disguised as RTF files to target Windows, and also uses malware designed for Android devices |
Table 2. Major Indian APT groups
2) Hacktivist
Below is a table categorizing hacktivist groups presumed to be based in India and those with a pro-India stance, considering their activity levels and influence comprehensively. If major channels (X, Instagram, YouTube, Telegram, etc.) were not found, or if the channel was found but ceased activity long ago, they were all classified as 'Low Risk'. For reference, the table below is based on information confirmed at the time of investigation, and it should be noted that it may change as additional information is found or changes in activity patterns are detected.
|
Name |
High Risk |
Medium Risk |
Low Risk |
|
India |
Crack Codes Dex404 Team UCC Night Hunters Red Eagle India 7 Proxies
|
Team White Lotus Hexaforce Alliance Indian Cyber Force Indian Cyber Mafia Black Dragon Hell Shield Hackers Indishell Mallu Cyber Soldiers Ne0-H4ck3r Kerala Cyber Xtractors |
Kingsman (India) J43v3r Code Man Godzilla (also known as G.O.D) HMG India Cyber Pirates Indian BlackHats Indian Hackers Indian Hackers Online Squad Kerala Cyber Warriors Lulzsec India Mr Z Nomcat Team Indi-Heax Telangana Cyber Warriors Vicky Singh Virkid (part of MaDLeeTs) Virushacker Z Company Hacking Crew Zindabad (part of PCA) Bhagat Cyber Soldiers Krutik |
|
Pro-India |
|
Cyber volk |
One Sec SilentOne |
Table 3. Indian and pro-India hacktivists
Conclusion
India-based APT groups and hacktivists are engaging in increasingly sophisticated and organized cyber activities. APT groups conduct information gathering and cyber espionage activities reflecting the strategic interests of the Indian government, while hacktivists engage in digital activism in response to political and social issues.
APT groups use various infiltration techniques such as spear phishing, malicious documents, and disguising mobile apps, and there have been increasing cases of exploitation of cloud infrastructure and mobile platforms. Their main targets are countries surrounding China and Pakistan, and in the future, there is a high possibility that they will expand their scope of activities to include supply chain attacks and attacks on industrial infrastructure.
Meanwhile, hacktivists are going beyond simple defacement or DDoS attacks and are now carrying out attacks that affect physical infrastructure, such as compromising industrial control systems, hacking surveillance cameras, and causing data breaches. Some groups promote their attack achievements through Telegram or X (Twitter) and also conduct propaganda by combining social messages.
Their activities go beyond simple cyberattacks, having a tangible impact on international relations and information security. They also have a clear tendency to launch attacks timed with specific anniversaries or political events. In the future, India-based threat actors are expected to enhance both technical sophistication and political messaging, becoming key players in cyber conflicts.
