Fortifying the Digital Frontier: Protecting India’s Cyber Interests

Introduction

 

In the 21st century, the digital revolution has transformed how nations function, communicate, and compete. The rapid proliferation of digital technologies has created unprecedented opportunities for economic growth, social development, and global connectivity. India’s digital transformation has been nothing short of remarkable. With over 800 million internet users as of 2023, India is the second-largest online market globally, trailing only China. The government’s Digital India initiative, launched in 2015, has been a driving force behind this transformation, aiming to make India a digitally empowered society and knowledge economy. The initiative has focused on three key areas: digital infrastructure as a utility for every citizen, governance and services on demand, and the digital empowerment of citizens. The rapid adoption of digital technologies has profoundly impacted various sectors of the Indian economy. E-commerce, fintech, telemedicine, and online education have experienced exponential growth, particularly during the COVID-19 pandemic, accelerating the shift toward digital platforms. The Unified Payments Interface (UPI), a real-time payment system developed by the National Payments Corporation of India (NPCI), has revolutionised digital payments, making India a global leader in this space.

 

However, it has also introduced new vulnerabilities and threats, particularly in cybersecurity. The stakes are particularly high for India, a country with a burgeoning digital economy and a rapidly expanding internet user base. As India continues integrating digital technologies into every facet of its society, the need to fortify its digital frontier and protect its cyber interests has never been more urgent. India faces multifaceted challenges in the cyber domain; given the strategic importance of cybersecurity for national security and economic prosperity, it must take immediate measures to safeguard its digital infrastructure and interests.

 

An alarming 83 per cent of Indian organisations reported experiencing cybersecurity incidents in 2023.^[i] The trend continues in 2025, and according to the National Cyber Reporting Platform (NCRP), there has been a massive surge of cyber criminals cheating people out of Rs 33,165 crore in the last four years, with several Tier 2 and 3 cities identified as hotspots for cybercrime.^[ii] Today’s threat landscape is highly complex due to the millions of users and IoT devices connecting to enterprise networks, cloud applications, and data centres at a massive scale. Threats now extend beyond ransomware, distributed denial of service (DDoS), and phishing to include credential stuffing, supply chain attacks, social engineering, and cryptojacking.^[iii]

 

Extended use of artificial intelligence (AI) and the widespread availability of generative AI enable more sophisticated attacks, often exploiting older system vulnerabilities. Incidents of critical infrastructure being targeted by AI-synthesised malware have also been recorded in India, and the cumulative loss from cyber thefts and cybersecurity breaches has run into lakhs of crores.

 

Today, the need for a robust cybersecurity infrastructure is more evident than ever, given India’s rapidly increasing digital footprint. Many government agencies and private enterprises in India still lack the necessary resources and capabilities to address their cybersecurity issues effectively. This situation has become a grave concern and must be addressed as a priority.

 

Given the above backdrop, the essential security paradigms necessary for today’s organisations include Identity Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and Artificial Intelligence (AI) Fortification.^[iv] These measures are critically important because in 2024, there has been a significant rise in identified malicious infrastructure intrusions.  For instance, the number of unique, validated Command and Control servers (C2 servers) doubled from 2023 to 2024, while, correspondingly, unique, validated management panels saw a 69% increase over the same period.^[v]

 

Victim identification based on the victim’s IP address has shown that they are located throughout India. While major attacks have occurred in Delhi, Mumbai, Bengaluru, Chennai, and Hyderabad, there are now victims spread across India, including places like Jamtara, Mathura, Kohima, and Srinagar.

 

Current Cybersecurity Landscape in India: An Overview

 

There has been considerable disregard for cybersecurity in India, leading to challenges in addressing the nation’s growing needs.  Consequently, the cyber threat landscape in India has reached a critical inflexion point, unprecedented in both the volume and sophistication of attacks. Over 369.01 million distinct malware detections have been recorded across 8.44 million endpoints in the past year. It is important to note that eSignature-Based Detection accounted for 85.44%, while Behaviour-Based Detection comprised only 14.56%. This highlights that most threats are identified through traditional signature-based methods, indicating ongoing vulnerabilities to more sophisticated attack vectors.^[vi]

 

Some cybersecurity experts opine that these gargantuan figures represent but the tip of the iceberg, and we need considerably more expertise in identifying new and more innovative threat methodologies. It is important to note that today, the Predominant Threat Vectors are sophisticated Trojans and infectors, marking a strategic shift from easy-to-intercept opportunistic attacks to more targeted and sophisticated campaigns, leveraging advanced APTs and circuitous exfiltration routes.

 

Experts have identified the influx of potentially unwanted programs (PUPs), potentially unwanted modifications (PUMs), and adware,^[vii] which cause severe commercial disruptions and revenue loss. PUPs are often bundled with free software, downloaded unintentionally, sideloaded through insecure sites, or distributed through deceptive advertising. While PUPs can compromise your privacy and security by tracking your online activity, they can be challenging to detect because they often disguise themselves as legitimate software or hide within other programs.^[viii]

 

Significantly, PUPs are often bundled with more dangerous PUMs that cause specific modifications to the Windows Registry, obfuscate its location, and make remediation difficult.^[ix] While many PUPs and PUMs are relatively benign, many have been used to plant Malicious malware. Cyber experts have given instances of malware such as Stuxnet, Flame, and Black Shades being implanted with PUPs and PUMs.

 

Adware is malware that displays unwanted advertisements on a user’s computer or device and works by tracking a user’s browsing habits to deliver more targeted and malicious ads. More importantly, adware enables data theft and cyber stuffing, apart from modifying browser settings to redirect users to unwanted websites and browser hijacking.  The high prevalence of adware entry points to the monetisation of mobile-based cyber threats. Many of these malware types have evolved to be sophisticated enough to bypass standard virus scans. This issue is exacerbating India’s inadequate cybersecurity capabilities.

 

Whether intentional or unintentional, insider threats pose a significant risk to organisations in India. Employees with access to sensitive information can inadvertently or deliberately compromise cybersecurity, leading to data breaches and other security incidents. The increasing trend of remote work, accelerated by the COVID-19 pandemic, has further complicated the challenge of managing insider threats. Several internal leaks from the armed forces and other security and intelligence agencies have primarily occurred due to internal fault lines.

 

On a disquieting note, India has frequently been a target of state-sponsored cyber espionage campaigns, particularly from neighbouring countries China, Pakistan, and now Bangladesh. Moreover, in an increasingly interconnected world, cyber threats can undermine national security. Cyberattacks on critical infrastructure, such as power grids, transportation systems, and financial networks, can have catastrophic consequences. For India, which shares borders with two nuclear-armed neighbours, the risk of cyber warfare is particularly acute. A successful cyberattack on India’s military or nuclear infrastructure could have devastating implications for national security, as these campaigns often aim to steal sensitive government, military, and corporate information and disrupt critical infrastructure.

 

We must urgently note that India has fewer cybersecurity initiatives compared to other prosperous nations, which requires immediate attention. Several breaches have already occurred, including Chinese state-sponsored actors attacking the power grid in 2024 and 2020, the theft of UIDAI in 2022, and the data theft from AIIMS in 2021 due to a vicious ransomware attack. Below, I would like to provide a more comprehensive description of these attacks to illustrate the vulnerabilities of our digital frontier and the urgent need to bolster our defences.

 

Attack on the Indian Power Grid

 

On March 7th, 2024, EclecticIQ, a cybersecurity firm based in Amsterdam, identified a cyber threat actor that utilised a modified version of the open-source information stealer HackBrowserData^[x] to target Indian government entities in the energy and defence sectors. The hackers delivered the malware using a phishing email, camouflaged as an invitation letter from the Indian Air Force. The attacker utilised Slack channels to upload confidential internal documents, private email messages, and cached web browser data after the malware’s execution. EclecticIQ analysts monikered the intrusion “Operation Flight Night” because each of the attacker’s operated Slack channels was named Flight Night.

 

Deeper analysis showed that multiple government entities in India had been targeted, including MeitY and the Air Force, in addition to private Indian energy companies. The phishing activity compromised financial documents, employees’ personal details, and information about drilling activities in oil and gas. The threat actor had used a PDF that appeared to be an invitation from the Indian Air Force, delivered within an ISO image file, which is commonly used to distribute software and operating systems. This format allows users to easily duplicate or install software without physical media.

 

In total, the threat actor exfiltrated 8,81 GB of data, which could significantly aid further intrusions into various entities of the Indian government, including critical ones. The incident seemed to be a case of sophisticated cyber espionage, and the diagram below, sourced from EclecticIQ, provides an indication of the possible penetration achieved by the espionage activity. The letter purported to have come from the IAF is also shown below.

 

The episode demonstrated how easily phishing activity can be conducted and the vigilance required to prevent it. It further illustrated that open-source software like Operation Flight Night and Go Stealer, along with Slack servers, can be easily modified for data exfiltration and used for data collection, cyber stuffing, and even cryptojacking.

 

The matter for serious introspection and concern is that the 2024 power sector attacks were preceded by another attack in March 2021. Border clashes between India and China in Galwan Valley in June 2020 resulted in casualties, the first in 45 years.  While an all-out conflict was avoided through negotiations and diplomacy, China launched silent cyberattacks to create a conducive atmosphere for conducting espionage for potential disruptions. The Insikt group, the research wing of the Cyber Security concern, recorded future concern. Recorded Future, which has links with US intelligence agencies, observed numerous targeted incursions by Chinese state-sponsored agencies using the infrastructure tracked as AXIOMATICASYMPTOTE, which encompassed the Shadow Pad command and control servers to subvert India’s power sector. The Insikt group found that ten Indian power sector organisations, including several Regional Load Despatch Centres (RLDC) responsible for operating the power grid by balancing electricity supply and demand, had been identified as targets, along with two seaports.^[xi]

 

Using a combination of proactive adversary infrastructure detections, domain analysis, and Recorded Future Network Traffic Analysis, it was determined that a subset of these AXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups, including the Advanced Persistent Threat- APT41 and Tonto Team. APT41 has been used in earlier attempts to gain unauthorised access to restricted networks to steal sensitive data rather than disrupt services, and was noted during the UIDAI data theft episode. The clear indication of Chinese involvement emerged with the exposure of another Chinese-speaking APT, Tonto Team, which has been active since at least 2013. Tonto Team primarily targets military, diplomatic, and infrastructure organisations in Asia and Eastern Europe. The group has been observed using various malware, including the Remote Access Trojan (RAT), Bisonal and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred distribution method, which were identified.^[xii]

 

The needle of suspicion was firmly pointed in the Chinese direction after the Recorded Future team found in late 2020 that the Chinese State-sponsored APT Red Echo was sponsoring attacks on Indian power grids by pre-positioning malware assets within critical infrastructure, potentially for future strategic objectives, which included Shadow Pad and Tonto team. On March 3, a State Cyber Cell probe found 14 Trojan horses in the Maharashtra State Electricity Transmission Company servers, which could radically disrupt power distribution in the state. The primary malware was identified as Red Echo and caused the massive power outage in Mumbai in October 2020.^[xiii]

 

Red Echo has a strong infrastructure and victimology intersection with Chinese groups APT41/ Barium and Tonto Team. ShadowPad is used by at least five distinct Chinese groups linked to the PLA. The Chinese fingerprints are undeniable.^[xiv]

 

The Indian Government’s assessment suggested that pre-positioning energy assets likely served as geostrategic signalling during heightened bilateral tensions and aimed to undermine confidence in the government by exposing its vulnerabilities. Unsurprisingly, Recorded Future found numerous IP addresses associated with critical Indian systems communicating with the APT for months.

 

An even more telling footprint was the use of infrastructure termed AXIOMATICASYMPTOTE to target a large swathe of India’s power sector units and ports. AXIOMATICASYMPTOTE servers were connected to Red Echo, had domains that spoofed those of Indian power sector entities configured to them, and also acted as command-and-control centres for the ShadowPad malware described earlier.

 

All twelve targeted entities have been classified as critical infrastructure by the National Critical Information Infrastructure Protection Centre (NCIIPC).^[xv]

 

Ransomware Attacks

 

Ransomware attacks have become increasingly common in India, targeting both public and private sector organisations. In November 2021, the Indian healthcare sector was struck by a series of ransomware attacks, including the attack on the All India Institute of Medical Sciences (AIIMS), which disrupted hospital operations when staff were unable to access the eHospital platform, which provides patient-centric services and compromised patient data. These attacks not only caused financial losses, as the threat actors demanded cryptocurrency through ransomware, but also highlighted the significant risk to public safety and national security.

 

The Sentinel Group, which first identified the APT, stated that it was ChamelGang (also known as Camo Fei), a suspected Chinese APT group that had targeted AIIMS. Earlier, in 2022, the Chamel Gang APT had drawn attention for targeting the Brazilian President’s office, exfiltrating information, and asking for cryptocurrency through ransomware.^[xvi]

 

The majority of the activities analysed by the Sentinel group indicated that the ChamelGang APT strategically utilised ransomware by cyber espionage actors for financial gain, or perhaps as a clever tactic for misattribution. Another motivation was that inadequate information sharing between the police, Revenue Service and Enforcement Directorates, financial intelligence units, and others could lead to insufficient risk assessment and diminished situational awareness. Ransomware is also advantageous from an operational perspective, as the data-destructive nature of this malware could collaterally disrupt systems and destroy intrusion and attribution data. In the case of a ransomware attack on critical infrastructure, the focus would be on restoring affected data and systems, providing a window of opportunity for further malicious activities.

 

The UIADI Attack

 

Chinese targeting of Indian entities has expanded into a multitude of outlets and intrusions. In 2021, the Indian media group Bennett Coleman And Co Ltd (BCCL) – “The Times Group”; the Unique Identification Authority of India (UIDAI); and the Madhya Pradesh Police Department were targeted using the Winniti malware. Of these, the most sensitive and significant was the UIDAI, the Indian government agency responsible for the national identification database- the “Aadhaar”, which contains private biometric information for over 1 billion Indian citizens. These intrusions were executed by an activity group designated TAG-28, in conjunction with another threat entity, ‘pwn000’, which posted on a breach forum that it had access to 815 million Indian Aadhaar records and put them up for sale on the dark web on October 9, 2023.

 

The Recorded Future cybersecurity group identified suspicious network traffic patterns between two Winnti malware C2 servers and infrastructure registered to BCCL from February to August 2021. Subsequently, the Insikt Group identified four IPs assigned to BCCL that were engaged in sustained and substantial network communications with the two Winnti C2 servers (185.161.209[.]87 and IP 86.107.197[.]182) and a third probable Cobalt Strike C2 at 178.157.91[.]144. Approximately 500 MB of data had been exfiltrated from the BCCL network to the malicious infrastructure. The attack was believed to be in retaliation for the Times of India’s coverage of the border tensions with China.

 

This was not a one-off act against the media. In 2013, a Chinese state-sponsored threat, APT12, compromised The New York Times. This coincided with the NYT’s reporting on Chinese leadership figures, suggesting potential differences.  It is further understood that another Chinese threat actor, APT41, has an operational scope to track individuals and conduct surveillance on media entities.

 

While investigating the infrastructure used in the BCCL compromise, Insikt identified an ongoing breach of the UIDAI, occurring between June 10 and at least July 20, 2021. During this period, two IPs registered to UIDAI were observed communicating with the same suspected Cobalt Strike C2 server used to target BCCL. This was in addition to the Winniti servers that had been identified and neutralised.

 

Madhya Pradesh Police was targeted using Winniti malware on June 1, 2021. The MPP IP, which serves a State Crime Records Bureau (SCRB) website that provides links to various web and mobile applications operated by SCRB, was targeted. Approximately 5 MB of data was exfiltrated, and the possible reason was that Madhya Pradesh Chief Minister Shivraj Singh Chouhan was critical of China after the violent border clashes with Chinese troops in the Ladakh region in June 2020, calling for the state’s residents to boycott Chinese products. It appeared that the strike on the MP police was a warning against open criticism of China.

 

Winnti malware has been used by several Chinese state-sponsored groups, including APT41/Barium and APT17, acting on behalf of China’s Ministry of State Security (MSS). These examples demonstrate the vulnerability of India’s cyber frontiers and emphasise the urgent need to secure our cyber defences and enhance our capacity to counter threats.

 

The Strategic Importance of Cybersecurity for India

 

The Indian Computer Emergency Response Team (CERT-In) has reported over 2.04 million registered cyber incidents in India in 2024, representing a significant increase from 1.39 million in 2022.^[xvii]

 

India has emerged as the second most targeted country for cyberattacks after the USA and Israel. According to dark web data, over 95 Indian entities in banking and finance, government, healthcare, pharmaceuticals, and telecommunications have been affected. The number of unreported cases is likely to be about double that figure. As reliance on digital technologies increases and attacks become more sophisticated, the government must develop and maintain efficient and proactive cybersecurity systems to prevent losses to critical infrastructure and consumers.

 

The digital economy is a key driver of India’s economic growth. According to a report by the Indian Council for Research on International Economic Relations (ICRIER), the digital economy is expected to contribute $1 trillion to India’s GDP by 2025. However, this growth depends on the security and resilience of digital infrastructure. Cyberattacks can disrupt business operations, erode consumer trust, and lead to significant financial losses. For India to realise its economic potential, it must ensure the security of its digital ecosystem.

 

Moreover, the internet has become an integral part of everyday life for millions of Indians, enabling access to information, education, healthcare, and financial services. However, the spread of misinformation, hate speech, and online harassment on digital platforms can undermine social stability. Cybersecurity measures are essential to protect individuals from online threats and ensure that the internet remains safe and inclusive.

 

Road Map for Sustainable Cyber Security

 

1. Capacity building for cybersecurity is a sine qua non for protecting our cyber frontiers. We need to establish effective systems to train a sizable workforce, which is currently in short supply.
2. We must also monitor the threat landscape to understand the tools and infrastructure tactics used for cyber terrorism, extortion, and subversion.
3. Identify state-sponsored groups. While the threats from Pakistan are easily countered due to a lack of sophistication, we must remain vigilant about a third country using Pakistani and now Bangladeshi IPs for phishing or creating deep fakes, etc.
4. Domain Name Systems (DNS) and web filtering solutions must be set up promptly to block access to known malicious domains and prevent users from accessing suspicious or harmful sites.
5. We must prevent any use of compromised infrastructure, especially in strategic and critical areas.
6. We must develop a deeper understanding of AI-powered cyber threats that leverage artificial intelligence to bypass traditional security measures and create more targeted, personalised, and automated attacks. These threats include AI-driven social engineering, phishing, malware generation, deepfakes, and data poisoning.
7. AI can also be used to automate the creation of malware and evasion techniques, and even exploit AI systems themselves, making them a significant concern for businesses and individuals.
8. We need to urgently promote Public-Private Partnerships, as there is often a lack of talent in either the PSUs or government institutions. The government should incentivise the private sector to invest in cybersecurity research and development, share threat intelligence, and participate in cybersecurity exercises and drills. This would also encourage innovation and research and development in cybersecurity issues, enabling us to stay ahead of the curve in anticipating and preventing cyberattacks.

 

To sum up, Indians are highly skilled in software development and digital usage. We need to leverage our strengths and enhance our expertise in this crucial area of cybersecurity. We need to realise that our cybersecurity is as critical as the physical guarding of our frontiers.

 

As a rising global power, India has the opportunity to play a leadership role in shaping the future of the internet and cybersecurity. By developing a robust cybersecurity framework and promoting international cooperation, India can establish itself as a responsible stakeholder in the global digital economy. This will not only enhance India’s global standing but also contribute to creating a secure and open internet for all.

 

 

Author Brief Bio: Ms. Prabha Rao is Distinguished Fellow, India Foundation. She is also the Executive Director, South Asian Institute for Strategic Affairs and Distinguished Scholar at the Institute for Defence Studies and Analyses, New Delhi. She is a former IPS officer from Karnataka cadre (1982 batch) who went on a deputation to cabinet secretariat and served in several locations abroad. She also runs an NGO — Encourage India, for skilling victims of trafficking and left-wing extremism.

 

 

References:

^[i] Sharma, S. (2024, January 20). Securing India’s Digital Future: Cybersecurity Urgency and Opportunities. Thediplomat.com. https://thediplomat.com/2024/01/securing-indias-digital-future-cybersecurity-urgency-and-opportunities/

 

^[ii] Mahender Singh Manral. (2025, February 5). Cyber frauds jump 900% in 4 years: Small cities like Deoghar, Nuh, Mathura emerge as new scam Capitals. The Indian Express. https://indianexpress.com/article/india/cybercrime-sharp-rise-complaints-2024-govt-data-9816845

 

^[iii] https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m03/cybersecurity-readiness-index-2024.India

 

^[iv] https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m03/cybersecurity-readiness-index-2024.India

 

^[v] RecordedFuture. (2025, February 28). 2024 Malicious infrastructure report. Recorded Future.

https://www.recordedfuture.com/research/2024-malicious-infrastructure-report

 

^[vi] DSCI. (2025). Data Security Council of India. https://www.dsci.in/resource/content/india-cyber-threat-report-2025

 

^[vii] DSCI. (2025). Data Security Council of India. https://www.dsci.in/resource/content/india-cyber-threat-report-2025

 

^[viii] Potentially Unwanted Program (PUP). (2024, July 26). Malwarebytes. https://www.malwarebytes.com/cybersecurity/basics/what-is-pup#:

 

^[ix] PUP and PUM FAQs. (2024, November 6). ThreatDown, Powered by Malwarebytes, Support Site. https://support.threatdown.com/hc/en-us/articles/4413802548755-PUP-and-PUM-FAQs#:

 

^[x] ᴍᴏᴏɴD4ʀᴋ. (2023, August 18). HackBrowserData. GitHub. https://github.com/moonD4rk/HackBrowserData

 

^[xi] RecordedFuture. (2021). China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Recordedfuture.com. https://www.recordedfuture.com/research/redecho-targeting-indian-power-sector

 

^[xii] Fraunhofer FKIE. (2025). Tonto Team (Threat Actor). Fraunhofer.de. https://malpedia.caad.fkie.fraunhofer.de/actor/tonto_team

 

^[xiii] RecordedFuture. (2021). China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Recordedfuture.com. https://www.recordedfuture.com/research/redecho-targeting-indian-power-sector

^[xiv] Insikt Group. (2021). CYBER THREAT ANALYSIS CHINA [Report]. Recorded Future. https://www.fbcinc.com/source/virtualhall_images/NLIT_June_21/Recorded_Future/cta-2021-0228.pdf

 

^[xv] Sircar, S. (2021, March 5). AXIOMATICASYMPTOTE: How an 18-Letter Word Exposed Chinese RedEcho. TheQuint; The Quint. https://www.thequint.com/cyber/security/chinese-redecho-hacker-cyber-threat-intrusion-power-sector-ports#read-more%23read-more

 

^[xvi] Chamelgang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware. (2024). SentinelOne Inc. https://assets.sentinelone.com/sentinellabs/chamelgang-friends-en

 

^[xvii] Government of India Taking Measures to Protect Critical Infrastructure and Private Data Against Cyber Attacks. (2025). Pib.gov.in. https://pib.gov.in/PressReleasePage.aspx?PRID=2116341