Suspected Chinese hackers masqueraded as Indian government to send COVID-19 phishing emails

The group had a prolific 2020, and has stayed busy in 2021.
A health worker prepares a dose of the Covaxin vaccine against the Covid-19 coronavirus at a vaccination centre in New Delhi on September 29, 2021. (Photo by SAJJAD HUSSAIN/AFP via Getty Images)

An increasingly active Chinese government-linked hacking group impersonated Indian government agencies with phishing lures related to COVID-19 statistics and tax legislation, researchers say.

It was the continuation of a campaign that dates to the earliest days of the pandemic, BlackBerry said in a blog post Tuesday. The company tied together several threads of operations by APT41, a joint cyber-espionage and cybercrime organization that investigators have repeatedly tied to Beijing and that BlackBerry said was responsible for the India-themed phishing lures.

The permutation targeting India preyed on the same fears that hacking groups began seizing on in after the coronavirus outbreak. BlackBerry on Monday didn’t answer questions about the timeframe in which APT41 sent the India-themed lures, what its possible motives were and what industries the emails targeted.

“The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” according to BlackBerry. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.”


First fully identified in 2019 after being active since as far back as 2012, APT41 had a prolific 2020, according to FireEye. U.S. prosecutors that year charged five Chinese nationals and two Malaysian nationals for an alleged APT41 campaign that hit hundreds of targets. The group has stayed busy in 2021 with suspected attacks on a diverse range of targets, other researchers have observed, from gambling companies within Chinese borders to businesses in the U.S., Mexico, Taiwan and Vietnam.

“These findings show that the APT41 group is still regularly conducting new campaigns and that they will likely continue to do so in future,” BlackBerry wrote.

Another phishing lure touted information about new income tax rules in India, the company said.

BlackBerry said it had tied together multiple “seemingly disparate malware campaigns” and attribute them to APT41. For instance, the company examined the Indian lures, and by comparing them to others once attributed to another group known as Evilnum, was able to determine that APT41 was in fact responsible.

The Indian campaign began in July of 2020 and the infrastructure “used to underpin APT41’s phishing activities remained active until March 2021,” said Tom Bonner, distinguished threat researcher at BlackBerry.


“When paired with the longstanding geopolitical tension between the two countries relating to the Sino-Indian border dispute, these intelligence insights yield a strong possible motive for conducting these cyber-attacks,” Bonner said.

Latest Podcasts