This research aims to identify the most characteristic cyberthreats facing India during the period from Q3 2023 to Q3 2024. The objective is to assess the current cybersecurity situation in the region and make predictions about potential cyberattack vectors.

The data and findings presented in this report are based on Positive Technologies' own expertise as well as analysis of publicly available resources including information from the SOCRadar¹ platform.

• The number of cyberattacks in India is on the rise: in 2023, attacks increased by 15% compared to the previous year, while in Q2 2024, a growth of 46% was recorded.
• Government organizations were the most targeted, accounting for 36% of attacks, followed by industrial firms at 13%. There is also a growing proportion of attacks on healthcare organizations, IT companies, and service providers.
• The primary methods of executing cyberattacks are malware (37%) and social engineering (32%). Key distribution methods for malware are email (64%) for organizations and websites (40%) for individuals.
• The primary consequence of cyberattacks is data breaches (70% for organizations and 62% for individuals).
• In attacks on organizations, spyware (38%) and ransomware (33%) are predominant.

In 2024, India has the fastest-growing economy among the G20 nations; one of the key drivers of this growth is digitalization reform in social and technological infrastructure. In recent years, the largest influx of foreign direct investment has gone to India's services sector (16%), the IT software and hardware industry (15%), trade and telecommunications (6% each), and the automotive sector (5%). India ranked among the top six countries for investment in artificial intelligence from 2013 to 2022.

The digitalization of these industries has led to an increase in demand for IT services and solutions. Since 2020, there has been a notable growth in investment in data centers and cloud solutions, driven by growing data consumption as a result of digitalization and the shift to cloud technology. The year 2022 saw an increase in the share of investment in the medical sector: 81% of that year’s investment was directed towards healthcare services, totaling over $628 million in direct and venture investment in medical devices and supplies.

From 2017 to 2020, India saw a remarkable growth of 38% in the mobile gaming market. By comparison, in the US, this figure increased by 10%, and in China by just 8%. Additionally, India experienced the highest growth in new paying users (NPU) globally, at 40% and 50% in 2020 and 2021, respectively.

Investment in artificial intelligence and educational technology, the implementation of the Aadhaar biometric citizen identification system, the launch of the UPI fast payment system, and impressive growth of the online gaming and e-commerce markets reflect India’s ambition to achieve digital leadership in the region. However, the expertise of Positive Technologies shows that a rapid pace of digitalization and the introduction of new technology do not always lead to an increase in the level of cybersecurity; meanwhile, the range of cyberthreats is expanding, making the region an attractive target for cybercriminals. India's information infrastructure is increasingly facing cyberattacks, which increased by 15% in 2023 compared to the previous year. The research company Indusface notes that its clients reported a record number of cyberattacks in Q1 2024: 1.8 billion, while in Q2 2024, Check Point Research recorded a 46% increase in cyberattacks in India, compared to a 30% increase globally.

A large volume of stored confidential information, a low level of digital literacy among staff and users, and insufficient regulation in the field of cybersecurity make Indian organizations in the healthcare, service, and gaming sectors more attractive for criminals; this has resulted in an increase in the share of cyberattacks on these industries. Along with this, criminals have begun to more frequently attack IT companies, as gaining access to their infrastructure can open up opportunities for cyberattacks on these companies’ clients. 

During the period under review, attackers in India more often targeted organizations (80%) than individuals (20%). Government institutions (36%) and industrial organizations (13%) were subjected to the greatest number of cyberattacks. IT companies, medical institutions, and service organizations shared third place (9% each).

The strategic nature and high importance to the country's economy make the state's industries and sectors an attractive target for malicious actors. In addition, government institutions and industrial companies store large volumes of confidential information: personal data, trade secrets, and so on.

The digital transformation of the region calls for software solutions tailored to individual industries.

Cybercriminals of all stripes, from dark web data brokers to seasoned cyberspies, target confidential data. The main consequences of successful cyberattacks on organizations in India are the data breaches (70%) and disruption of the organizations' core activities (13%). The third most common consequence is the use of resources from compromised organizations or individuals to conduct cyberattacks (6%). Cyberattacks on individuals also most often led to data breaches (62%) and direct financial losses (15%).

The share of personal data among stolen information amounted to 40%. Together with trade secret data (20%), these two categories accounted for more than half of all data obtained by criminals as a result of successful cyberattacks on organizations.

As a result of successful cyberattacks on individuals, criminals equally often obtained personal data and messages (24% each).

Government agencies

Government agencies in India accounted for 36% of cyberattacks during the period under review. They were most often attacked using malware (37%) and social engineering methods (33%), while 21% of cyberattacks exploited vulnerabilities.

In cyberattacks on government institutions, criminals most frequently used spyware (50%), followed by remote control malware (30%), with 10% each for ransomware and data wipers. Social engineering and software vulnerabilities are often used together. For example, the initial tactic of a recently discovered cyberattack by an APT group on Indian government institutions was believed to be the distribution of phishing emails that would download the DISGOMOJI malware onto the victim's Linux device. The functionality of the malware is similar to many others: criminals can execute commands, take screenshots, steal files, install additional software, and search for files. However, the use of Discord and emojis as a command and control system distinguishes DISGOMOJI from other malware and allows it to bypass protective mechanisms that monitor text commands.

APT groups carried out 56% of cyberattacks on government institutions. Hacktivists accounted for 25% of attacks, while cybercriminals were responsible for the remaining 19%. The activities of hacktivists against government organizations were often linked to significant political events and primarily involved disrupting the operations of government institutions, for example, by defacing their websites. 

In 2023, the hacktivist group Team R70 claimed responsibility for defacing the website of the Chhattisgarh State Biodiversity Board, on behalf of OpIndia. And as a result of a cyberattack during the ongoing G20 summit in 2023, the hacktivist group Team Insane PK disabled the websites of the Delhi police and Mumbai police.

In 42% of cyberattacks on government institutions, the targets were computers, servers, and network equipment. In 35% of cases, the targets were people, and in 19%, websites. The primary consequence of attacks on government institutions is data breaches (61%), while 17% resulted in disruptions to government operations. The large volume of sensitive data associated with the public sector attracts cybercriminals. Thirty-three percent of all data breaches involved personal data, 22% involved trade secrets, and 17% involved credentials.

An analysis of data relating to government institutions from dark web platforms in 2024 showed the following statistics: in 35% of cases, the post subjects pertained to compromised databases, in 27% to website defacements, and in 20% to gaining access to infrastructure.

The most popular type of advertisement is "giveaway"² (67%); this applies to both stolen databases and access. The prevalence of this type of ad indicates that the cybercriminals are less interested in monetizing data stolen from government institutions. These criminals are presumably hacktivists, or their advertisements on dark web platforms are published for reputational purposes, that is to demonstrate their capabilities and boost their reputation among the dark web community.

2. The "giveaway" category refers to advertisements on dark web platforms where criminals freely distribute stolen information, such as credentials for accessing infrastructure, databases, and so on. In contrast to "giveaways", "sale" advertisements are published by criminals seeking financial gain.

Industrial organizations

The share of cyberattacks on industrial organizations in India during the period under review was 13%. They were most often attacked using social engineering methods (40%) and malware (30%), which correlates with the predominant targets of cyberattacks: 45% being people, and 36% being computers, servers, and network equipment.

In 80% of successful cyberattacks on industrial organizations, there was a data breach, with 75% of this data constituting trade secrets. In March 2024, Indian energy companies were subjected to a spying campaign that used the malware HackBrowserData, capable of collecting browser login credentials, cookies, and history. The attackers aimed to obtain financial documents, personal data of employees, and trade secrets relating to oil and gas drilling.

Cyberattackers predominantly used spyware and ransomware to target industrial facilities. In 2023, Ace Micromatic Group, a major Indian manufacturer of machine tools and automation, fell victim to a cyberattack by the Medusa ransomware group. The attackers published information about the company, demanding a ransom of $100,000.

The company Polycab, an Indian manufacturer of cables, wires, and accompanying products, suffered a ransomware attack on its IT infrastructure in March 2024. According to dark web forums, the LockBit ransomware gang was behind the cyberattack

Some cyberattacks on industrial organizations resulted in direct financial losses. For example, as a result of a cyberattack on one of the subsidiaries of the Indian pharmaceutical giant Alkem Laboratories, resulted in a fraudulent transfer of 52 crore rupees ($6.2 million).

Regardless of the country, the government and industry are the most frequently attacked sectors; after that, the distribution of attacks becomes more specific for each region. India, which is undergoing a digital transformation, saw cyberattacks on medical organizations, IT companies, and service sector organizations with equal frequency during the period under review.

Medical organizations

The predominant methods of cyberattacks on the medical and service sectors are the same: malware and social engineering. In the medical sector, malware was used in 50% of attacks, social engineering methods in 33%, and exploitation of vulnerabilities in 17%.

In 2021, experts from Positive Technologies identified the APT group ChamelGang and described its arsenal in detail. In 2022 and 2024, the group used ransomware to attack major medical institutions in India, including the All India Institute of Medical Sciences (AIIMS).

In July 2023, researchers at CloudSEK discovered a post on an English-language cybercrime forum about the hack of the IIIT Delhi web portal focused on bioinformatics, health informatics, and genomics, which helps biologists develop vaccines and medications. A data breach, caused by exploiting a vulnerability, resulted in the exposure of a database containing people's personal and medical information.

Sixty-seven percent of cyberattacks on medical organizations resulted in a data breach, primarily targeting personal and medical data. For instance, in May 2024, the Regional Cancer Center suffered a ransomware attack. Eleven out of 14 servers at the center were compromised, leading to disruptions in the operations of some departments and the attackers gaining access to medical and personal data of about 2 million patients.

IT companies

Interestingly, the share of cyberattacks on IT companies using social engineering methods is extremely low, but every second cyberattack (50%) on IT companies involves credential compromise. This indicates the criminals' intent to use the compromised infrastructure of IT companies as a means for further cyberattacks. The fact that 50% of cyberattacks on IT companies involve the misuse of the company's own resources confirms this trend.

Such cyberattacks included the infection of installers for software products Notezilla, RecentX, and Copywhiz, developed by the Indian company Conceptworld. The trojan is capable of stealing browser credentials and cryptocurrency wallet information, recording clipboard content and keystrokes, and executing additional payloads on infected Windows hosts. 

Another example is the hacking of the payment gateway belonging to Safexpay Technology Pvt Ltd (STPL). Criminals compromised credentials and gained access to the payment gateway, diverting 16,180 crore rupees ($1.9 million) to several bank accounts. 

Thales Cloud Security Study 2024 revealed that cloud storage, SaaS applications, and cloud management infrastructure are areas increasingly targeted by cyberattacks in India. Cyberthreats related to cloud computing are a concern for more than half (52%) of Indian executives surveyed. Among major security incidents involving IT companies and cloud solutions was a ransomware attack on the Indian tech giant HCL Technologies. The company reported an incident involving ransomware in the isolated cloud environment of one of its projects.

Service sector organizations

A broad range of service sector organizations are being targeted, including those providing legal, educational, and technological services.

PathLegal, a provider of legal services in India, fell victim to a cyberattack by Hacktivist Indonesia, resulting in the attackers gaining access to confidential information belonging to 127,000 lawyers and students. In the wake of a ransomware attack on C-Edge Technologies, a banking technology provider, around 300 small Indian banks were isolated from the country’s wider payment network to prevent a more extensive impact.

In November 2023, a data breach at the Taj Hotels group jeopardized the personal data of approximately 1.5 million people, with the cybercriminals demanding $5,000 in ransom.

Speaking of the education sector, databases containing student information are commonly offered on dark web forums. For example, at the end of September 2024, a database from the Palamuru University portal was available on the dark web, containing personal data of students: names, phone numbers, residential addresses, student photos, passwords, Facebook³ and Google account IDs, etc.

For $600, you could purchase a 393,599 record student database including names, academic departments, years of graduation, and so on.

 

---

3. A product of Meta, a company recognized as an extremist organization banned in Russia under Russian law.

As in the rest of the world, the key cyberattack technique are malware and social engineering. While these categories were most common for individuals, it is worth noting that for organizations, 16% of cyberattacks were carried out by exploiting vulnerabilities.

It can be assumed that the integration of IoT devices into corporate networks has contributed to the share of organizations affected by vulnerability exploitation. According to SonicWall, the share of cyberattacks using malware in India increased by 11% in 2024, while the share of cyberattacks that leveraged IoT devices rose by 59% compared to 2023.

According to ShadowServer, while India lags behind China in the number of connected IoT devices, it surpasses other countries in Southeast Asia such as Indonesia, Vietnam, Thailand, and Malaysia.

The most common scenario in cyberattacks on Indian organizations is the sending of phishing emails (64%). In cyberattacks on individuals, the predominant methods are the use of websites (40%) and phishing emails (20%), with occasional use of instant messaging services (10% of cases).

According to SonicWall’s data, the share of cyberattacks using malware in India has increased by 11% in 2024. Spyware was the most common tool used to attack both organizations (38%) and individuals (36%).

Cybercriminals have shown a clear interest in making money by targeting private individuals: 27% of cyberattacks on individuals involved the use of banking trojans. For example, researchers at McAfee discovered a banking trojan named Android/Banker.AFX targeting user devices running Android. Initially, the criminals spread phishing messages via WhatsApp, encouraging users to install an application containing malicious code disguised as a verification tool. Once installed, the banking trojan collects personal and financial information and intercepts SMS messages to steal one-time passwords or verification codes needed to complete transactions, which potentially leads to theft from bank accounts.

According to SonicWall, in 2024, the share of cyberattacks using ransomware grew by 22%, indicating a significant trend for Indian enterprises. During the period under review, the share of cyberattacks using ransomware was 33%, slightly lower than that of cyberattacks using spyware.

As India develops its technological infrastructure and strengthens its position in cyberspace, it is countering cyberespionage by foreign states, politically and religiously motivated hacktivists, and financially motivated cybercriminals.

The region has seen activity from APT groups, such as APT36 (Transparent Tribe), Cosmic Leopard, and UTA0137. These groups are known to conduct cyberespionage campaigns using malware and social engineering methods, primarily targeting Indian government agencies. UTA0137 focuses on the defense, government, and technology sectors, employing malware for Android and Windows in its cyberattacks (using DISGOMOJI malware against Indian organizations) and exploiting specific vulnerabilities in Linux systems. APT36 has been using CapraRAT for over two years, previously engaging in targeted phishing and watering hole attacks to deliver spyware to Windows and Android devices. In 2024, the group targeted organizations in India’s government, aerospace, and defense sectors.

Some of the hacktivist groups are Team Insane PK, Fredens of Security, RipperSec, and Team R70. Team Insane PK is a group known for its religious hacktivist activities, attacking Indian businesses and government websites. During the period under review, they attacked the websites of the Delhi Police and Mumbai Police, taking them offline. Fredens of Security claimed responsibility for exposing 4.5 GB of confidential data, reportedly containing 3 million records related to the Ministry of Food Processing and the Ministry of Health and Family Welfare of India. RipperSec is a pro-Muslim hacktivist group that uses the MegaMedusa tool to carry out DDoS attacks. They have a wide geographical impact, targeting countries including India, Israel, the USA, the UK, and others. Team R70 claimed responsibility for damaging the website of the Chhattisgarh Biodiversity Board.

The financially motivated Desorden (chaoscc) group has been targeting Indian and Malaysian companies across various sectors since 2021, stealing data from high-income businesses for ransom. The cybercriminal group Medusa, known for creating ransomware, attacked industrial companies in India in 2023, demanding ransom for stolen data.

The number of cyberattacks in India is expected to increase, driven by the ongoing digitalization in the region. The attack surface is expanding and cyberrisks are increasing due to a number of factors: the integration of software into technological and business processes, the characteristics of the sectors undergoing digitization, and potentially insufficient consideration of these factors when designing and implementing software solutions, along with errors and defects in the software being developed.

1. The activity of APT groups and hacktivists is expected to remain at the same level, predominantly targeting government and industrial sectors. The cyberattack methods typical for these categories of attackers will remain unchanged: the use of malware (primarily spyware) in conjunction with social engineering techniques.

2. Financially motivated cybercriminals are expected to focus on organizations that meet the following criteria:

• Part of a sector that is attracting significant investment
• Part of an industry with inadequate cybersecurity regulations
• Small budget for cybersecurity
• Requirements for a large workforce who lack skills in maintaining digital hygiene
• Significant amount of confidential information being stored

As of 2024, the sectors attracting the most investment include information technology, healthcare, manufacturing, agriculture, and services. According to the above criteria, healthcare and service industry organizations are the most likely targets for cyberattacks due to their handling of large amounts of sensitive data and their reliance on a workforce that may lack cybersecurity expertise. 

3. The share of cyberattacks on IT companies, particularly small and medium-sized IT organizations, will increase. The large number of such organizations is a feature of the Indian software market. It is logical to assume that their cybersecurity budgets are limited, as supported by statistics from the CyberPeace Foundation which indicate that 43% of cyberattacks target small businesses and startups. It should also be emphasized that attackers will continue to have a particular interest in cloud solutions. Over the past year, 37% of Indian organizations have already faced data breaches in the cloud.

4. Cyberattacks on gaming platforms and banks are expected to persist. The Indian gaming industry is one of the fastest-growing in the world and expected to continue growing into 2024. However, cyberattacks on gaming platforms are on the rise globally. Gamers faced over 4 million cyberattacks between July 2022 and July 2023. Among those affected were the Indian online platforms Teenpatti.com and Mpl.live. Data stolen from these platforms was put up for sale by a cybercriminal known as "roshtosh".

The banking sector is expected to face a consistently high number of cyberattacks. The Indian financial sector has been under siege for years, facing a relentless barrage of cyberattacks. Data from SocRadar reveals an alarming rate of data breaches, with 80% of India's largest banks becoming targets discussed on dark web forums.

5. The share of cyberattacks using ransomware will increase. As India's digital landscape expands and reliance on information technology grows, organizations will be willing to pay cybercriminals significantly more to recover data.

6. Cyberattacks using social engineering methods will increase in sophistication due to the use of artificial intelligence technologies (deepfakes) and a high degree of targeting resulting from numerous data breaches. Cybercriminals can use artificial intelligence to personalize emails with information stolen from data breaches, making these emails appear to be from legitimate sources. In April 2024, around the start of the first phase of the elections in India, deepfakes of well-known Indian celebrities Ranveer Singh and Aamir Khan supporting various political parties were posted on social media platforms. In both cases, the synthetic content gained significant popularity online, despite both celebrities publicly denying their involvement in the videos and filing complaints with local authorities.

Countering cyberthreats and ensuring the cyber-resilience of a state's information infrastructure is a complex task that requires a multifaceted approach, spanning regulatory, educational, and technological domains.

According to the ITU's Global Cybersecurity Index 2024, India has been ranked at the highest level (Role-Modeling), receiving top scores from experts in 4 out of 5 criteria. The lowered score was attributed to the "Organizational Measures" criterion, indicating shortcomings in the existing legal framework and a need for collaboration among cybersecurity professionals, government agencies, and private companies. Action is also needed to regulate various industries from a cybersecurity perspective. The introduction of the Digital Personal Data Protection Act in 2023 is an important step toward enhancing security; however, it only addresses the digital processing of personal data. Therefore, for a number of sectors, such as healthcare, additional regulation is required.

A critical task is fostering highly qualified cybersecurity specialists, which requires investment in cybersecurity training and education. Training programs should be as practical as possible to equip future professionals with the skills needed to handle the country's changing threatscape. Russia, through Positive Technologies and with the support of the Ministry of Digital Development, has made a significant contribution to international cybersecurity training. On August 12, 2024, a two-week hands-on cybersecurity training program for international participants commenced in Moscow, attracting around 70 students from approximately 20 countries. The program promotes result-driven cybersecurity and enables participants to gain practical skills in countering cyberthreats and ensuring the cyberresilience of organizational information infrastructure across various sectors.

Intergovernmental cooperation with countries that place a strong emphasis on cybersecurity will enable the sharing of experience in regulating sectors of critical national importance, facilitate the investigation of cybercrimes, and conduct joint cybersecurity exercises. 

Increasing the digital literacy of the public is another priority for enhancing cybersecurity at the state level. Training users in digital hygiene and online safety should be adapted to account for the advanced state of generative AI technology. This is essential to equip users with the knowledge they need to defend against cyberattacks that exploit deepfakes.