Cyber Incident Victim: Government of Pakistan
Date:
Jun 2021
Location:
Pakistan
Summary
An Indian advanced persistent threat group known as "Confucius" conducted cyberattacks targeting Pakistani government and military institutions, deploying spear phishing emails disguised as official communications. The attackers used malicious documents referencing sensitive topics like military casualty lists and staff vaccination statuses to deliver trojans that stole sensitive data. The group, active since at least 2013, employed social engineering tactics and shared tools with other Indian APT groups including SideWinder and Urpage. These operations aimed to compromise critical infrastructure and exfiltrate confidential information for political and economic gain. Pakistani authorities responded by issuing nationwide alerts about the phishing campaigns impersonating government entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2021, an advanced persistent threat (APT) group operating under the code name "Confucius" conducted cyberattacks targeting Pakistani government and military institutions. The group, identified by Chinese cybersecurity firm Antiy as based in India, employed spear phishing emails disguised as communications from Pakistani government staff. These emails contained malicious attachments designed to deploy Trojan horse programs upon opening. One specific attack in June 2021 involved a file referencing a list of deceased Pakistani army personnel, while another in February 2022 utilized a document about government employee vaccination statuses. The malware enabled data exfiltration from compromised systems, with the group's activities extending beyond Pakistan to include targets in China and Bangladesh since at least 2013. Antiy's investigation revealed the attackers used social engineering tactics tailored to regional contexts, including embedding the command phrase "Confucius says" in their operations—a detail suggesting familiarity with Chinese cultural references.
The attacks prompted analysis by Antiy CERT, which traced the campaign's origins to the South Asian subcontinent and identified tool-sharing between Confucius and another Indian APT group known as SideWinder. Technical evidence indicated additional code overlaps with the Urpage group, reflecting broader collaboration patterns among Indian threat actors. Pakistani authorities responded through the National Telecom & Information Technology Security Board, which issued a nationwide alert warning about spear phishing emails impersonating the Prime Minister's office. The advisory urged officials and citizens to avoid disclosing sensitive information via email or social media. Antiy's findings confirmed the group's objectives centered on stealing sensitive government and military data, with potential physical consequences for critical infrastructure. The sustained campaign demonstrated persistent regional cyber espionage activities aligned with geopolitical interests.