Operations Playbook - Intelligence Partners

HIGH

India-specific threat actor tracking, commercial threat intelligence integration (Recorded Future, Mandiant, CrowdStrike, Dragos), STIX/TAXII framework, expert interview network, dark web monitoring, and cooperation gap analysis.

India Threat Actor Portfolio

CRITICAL
TIER 1 - NATION-STATE ACTORS
APT41CHINA
BARIUM/BRONZE ATLAS

Dual-purpose: simultaneous espionage + cybercrime. India operations target pharma, tech, government. Uses legitimate software for lateral movement.

Living-off-the-landCustom RAT deploymentSpear-phishing
Targets: Pharmaceutical, Technology, Government
India Relevance:
95%
SideCopyPAKISTAN
SIDEWINDER/APT36

Deliberately impersonates APT41 infrastructure for false-flag. Deploys Ceavesdropping and RazeGate malware via defence-themed spear-phishing.

Decoy documentsCustom RATsStrategic patience
Targets: Indian military, Diplomatic, Kashmir personnel
India Relevance:
92%
Transparent TribePAKISTAN
APT36/C-Major

Crimson RAT and Peppy malware. Expanded beyond security forces to critical infrastructure, telecom, academics. Interests: diplomatic, defence procurement.

Watering-hole attacksCrimson RATSpear-phishing
Targets: Defence, Telecom, Academic institutions
India Relevance:
88%
RedEchoCHINA
BATROTOR

ShadowPad malware found in Indian power grid infrastructure (2020-2021). Pre-positioning for potential disruptive operations.

ShadowPad malwarePower grid targetingLong-dwell
Targets: Power Grid, Critical Infrastructure
India Relevance:
98%
TIER 2 - REGIONAL STATE ACTORS
PatchworkPAKISTAN
Dropping Elephant/ZINC

Linked to Pakistani intelligence. Low-and-slow exfiltration, long-dwell intrusions. Modified open-source RATs and custom keyloggers.

Long-dwellOpen-source RATsKeyloggers
Targets: Government, Diplomatic targets
India Relevance:
72%
Donot TeamBANGLADESH
Storm-085/Project D

EHOLIGE malware family. Kycool C2 infrastructure. Targeting Indian security establishments, northeast India government agencies.

EHOLIGE malwareKycool C2Custom tooling
Targets: Security establishments, NE India agencies
India Relevance:
65%
TIER 3 - CYBERCRIME ECOSYSTEM
ScullyINDIA/NEPAL
Financial fraud group

UPI and banking trojans targeting Indian financial institutions.

Banking trojansUP fraudMobile malware
Targets: Banking, UPI payment users
India Relevance:
58%
LuciferUNKNOWN
Cryptocurrency botnet

Cryptocurrency mining botnets affecting Indian enterprise infrastructure.

CryptojackingBotnetEnterprise targeting
Targets: Indian enterprise, Cloud infrastructure
India Relevance:
45%
LockBit/ALIASGLOBAL
Ransomware operators

Active targeting of Indian organizations with LockBit and ALIAS ransomware.

RansomwareDouble extortionRaaS
Targets: Indian corporations, Government entities
India Relevance:
75%

STIX/TAXII Integration Framework

MEDIUM
Standards Configuration
Standard Version:STIX 2.1 / TAXII 2.1
Providers:Recorded Future, CrowdStrike, Mandiant, Dragos
Normalization:Normalized to MITRE ATT&CK framework
India Tagging:
All indicators tagged: India relevance, sector relevance, threat actor relevance
Alert Filtering Configuration
Score 3+ by default (1-2 available for analyst review, no automated alerts)
5
DIRECTActor explicitly targets India; infrastructure in India; Indian victim
4
HIGHOperations consistent with India targeting; sector is India-relevant
3
MODERATEMay include India as collateral; infrastructure may proxy through India
2
LOWTangentally relevant; no direct India connection
1
MINIMALNo identified India relevance
Alert Generation: Score 3+ by default | 1-2 scored items: analyst review only, no automated alerts

Automated Feed Integration

CERT-In Advisories
RSS/AtomReal-timeCRITICAL24 months
US-CERT NCAT
Email/SMSHourlyHIGH12 months
CISA Current Activity
RSSReal-timeHIGH12 months
Recorded Future
STIX/TAXII 2.115-minuteCRITICAL36 months
CrowdStrike Intel
STIX/TAXII15-minuteCRITICAL36 months
Mandiant Advantage
STIX/TAXII15-minuteCRITICAL36 months
Dragos Intel
STIX/TAXIIHourlyHIGH24 months
Shadowserver
CSV/HTTPSDailyMEDIUM12 months
GreyNoise
APIReal-timeMEDIUM6 months
Feed Architecture Principles
CERT-In Integration
Often references exploitation in Indian networks before public disclosure. Tactical advantage signal.
US-CERT Correlation
US tracking of China/Pakistan nexus provides attribution context unavailable elsewhere.
Commercial Feed India Tagging
All commercial indicators tagged for India relevance, sector relevance, threat actor relevance.

India-Specific Alert Thresholds

Government NetworksTIER 1
C2 interaction from Tier 1 actor infrastructure
Successful phishing to government personnel
Lateral movement from compromised endpoint
Privilege escalation detected
Exfiltration >100MB in 24 hours
Critical InfrastructureTIER 1
RedEcho-specific indicators on SCADA networks
ShadowPad/Crimson RAT signatures
Unscheduled data transfers from control systems
ICS protocol anomaly (Modbus, DNP3, IEC 61850)
SS7/Diameter probe activity on telecom
Financial SectorTIER 2
SWIFT/ATM interaction with malicious infrastructure
Core banking system contact with tracked actor C2
Dark web sale of bank customer data
UPI fraud network patterns correlated with campaigns

Tiered model: initial detection triggers monitoring escalation, not immediate alert

Commercial Threat Intelligence Subscriptions

MEDIUM
Recorded Future
CRITICAL$40-80K/year
Core Strengths:
China/Pakistan nexus trackingIndia-specific dark web monitoringInfrastructure identificationVulnerability timing analysis
India-Relevant Modules:
India threat actor trackingDark web for Indian dataSupply chain monitoringIndia-hosted C2 tracking
Mandiant (Google Cloud)
CRITICAL$60-120K/year
Core Strengths:
APT campaign attributionFront company documentationVictimology analysisChina/Pakistan nexus
India-Relevant Modules:
APT41 campaign trackingAPT36/Transparent Tribe trackingGlobal Threat Intelligence
CrowdStrike Intelligence
CRITICAL$30-60K/year
Core Strengths:
Endpoint-based attributionOverwatch threat huntingNation-state actor tracking
India-Relevant Modules:
India-relevant APT groupsOverwatch for CrowdStrike clientsAttribution analysis
Dragos
HIGH$40-80K/year
Core Strengths:
OT/ICS-specific coveragePower grid threat reportingIndustrial control system intelligence
India-Relevant Modules:
WorldView OT/ICS reportingIndia power grid reportingAdversary intelligence on ICS groups
Minimum Viable Analyst Coverage
Analyst 1: Strategic TI
Recorded Future, Mandiant, CrowdStrike management
Daily monitoring + weekly synthesis + immediate flagging for active engagements
Analyst 2: Operational TI
Dragos, DomainTools, PassiveTotal, GreyNoise
Daily monitoring + quarterly subscription value review

Expert Interview Network

HIGH

Year 1 Target: 25-35 active expert relationships across all tiers. Year 2: 50-60 relationships with formal advisory structures. Year 3: 70-90 active relationships with established engagement cadence.

Former Intelligence Officers
TIER 1
Target Profiles:
RAW (3-5), IB (2-3), NTRO (2-3), DRDO (2)
Intelligence Value:
Institutional knowledge, attribution assessments, capability gap awareness
Approach:
Brigadier Chhillar network only. In-person, off-record, no recording.
Compensation:
INR 25K-75K/session honorarium OR INR 1-3L/quarter advisory board
Maintenance: Quarterly minimum
Former Law Enforcement
TIER 2
Target Profiles:
Cyber cell heads (5-8), CBI (2-3), NIA (2), ED (2), DIG/IGP (3-5)
Intelligence Value:
Investigative methodology, crime patterns, inter-agency dynamics, ground-truth
Approach:
Chhillar network + state cyber cell partnership relationships
Compensation:
INR 50K-150K/month retainer OR INR 15-40K/session
Maintenance: Bi-monthly minimum
Former Bureaucrats
TIER 2
Target Profiles:
MeitY (3-5), MHA (2-3), UIDAI (2), State Chief Secretaries (3-5), DoT (2)
Intelligence Value:
Policy process, budget allocation, inter-ministry dynamics, procurement intelligence
Approach:
Formal institutional channel, recognized intermediary, policy forum participation
Compensation:
INR 75K-200K/quarter advisory OR INR 50K-150K/speaking engagement
Maintenance: Quarterly minimum
Sector Specialists
TIER 3
Target Profiles:
Cybersecurity researchers (5-8), Former ISOrg consultants (3-5), IT services seniors (3-5), BFSI specialists (3-5), Healthcare (2-3)
Intelligence Value:
Technical depth, sector-specific visibility, independent research
Approach:
Conference presentations, published research, industry associations
Compensation:
INR 2-10L/research project OR INR 10-50K/session OR INR 3-12L/year retainer
Maintenance: Bi-annually minimum
Source Protection Requirements
Level A - Identity Known Only to Designated Personnel
Former intelligence officers, law enforcement in sensitive positions, current officials.
Level B - Known to Leadership + Designated Analysts
Former bureaucrats, senior law enforcement. Internal documents require explicit approval for source reference.
Level C - Need-to-Know with Engagement Teams
Sector specialists, academic researchers, industry experts whose association creates no personal risk.

Dark Web Monitoring - India Focus

CRITICAL
Priority Data Categories
Aadhaar Numbers
TIER 1Demographic data associated with Aadhaar
PAN Cards
TIER 1Financial records, tax information
Bank Account Details
TIER 1Credentials, card data
Mobile Databases
TIER 1JIO, Airtel, Vi customer data
Health Records
TIER 1Hospital breaches, insurance data
ITR Data
TIER 2Income tax return data
Voter List Data
TIER 2Electoral records
GST Registration
TIER 2Business registration data
Monitored Forums & Channels
RAMP (Russia-based)
EnglishTor
Exploit.in
EnglishTor
Breachforums
EnglishTor
Russian Market
EnglishTor
FBIR (Fraud Bazaar India)
HindiTelegram
Bengali/Odia Forums
RegionalDark web
Minimum Analyst Requirement
Hindi language capability non-negotiable. Majority of Indian data sales occur in Hindi-language spaces. Required: familiarity with Indian cybercrime ecosystem, Tor navigation, data format validation (Aadhaar structure, PAN format, mobile number formats).

Intelligence Cooperation Gap Analysis

India's intelligence apparatus operates within structural constraints that limit effective cooperation: civil-military boundaries, law enforcement-intelligence divides, state-central fragmentation, and cross-border coordination failures with non-cooperative jurisdictions.

Civil-Military Intelligence Barrier

CRITICAL

RAW intelligence on PLA did not reach tactical commanders at Galwan 2020

Impact: Strategic surprise, operational failure at critical moment

Intelligence-Law Enforcement Chasm

CRITICAL

RAW and NTRO cyber intel inadmissible in court; no fusion to prosecution

Impact: Attribution to court standard impossible; perpetrators go free

State-Central Information Asymmetry

HIGH

State police generate no cyber intel; consumers only of central agency output

Impact: No upward threat reporting; national picture fragmented

DIA-NTRO Technical Competition

HIGH

Competing SIGINT mandates create friction rather than fusion

Impact: Duplicated effort, episodic coordination only

60+ Day Cross-Border Coordination

HIGH

MLAT requests to non-cooperative jurisdictions take 60-180+ days

Impact: Cross-border attribution operationally useless

Quad/Five Eyes Information Shielding

MEDIUM

Partners share selectively; India receives processed intel, not raw

Impact: Attribution confidence reduced; operational timing delayed
Quad/Five Eyes Intelligence Sharing Limitations
Available Intelligence
Processed strategic intelligence products
Attribution assessments with confidence levels
Campaign tracking from Five Eyes collection
Infrastructure indicators from partner reporting
Information Not Shared
RAW source assets and methods
Specific SIGINT collection against China/Pakistan
Raw signal intercepts or human source product
US/UK NSA collection on Indian targets

India receives finished intelligence products, not raw collection. This reduces attribution confidence and delays operational timing by days to weeks.

Operational Security Requirements

MEDIUM
Client Data Segregation

Multi-tenant architecture validated for complete data isolation. Need-to-know access controls.

Source Protection

Compartmentalized storage, encryption at rest/transit. Source codes never in commercial cloud systems.

Incident Response Artifacts

Segregated IR systems separate from commercial TI platform. Never shared with TI vendors.

IT Act Compliance

Section 43, 66F, 79 boundaries maintained. No unauthorized access to private systems.

DPDP Act Compliance

Minimize personal data collection. Handle incidental collection (dark web creds) per DPDP principles.

Legal Constraints

Intelligence Organisation Restriction of Rights Act (1985): Former intelligence officers cannot lawfully disclose specific information about intelligence operations. Official Secrets Act (1923): Collection creating perception of soliciting classified information creates legal risk.

OPSEC Best Practices

No human network intelligence in systems accessible to commercial TI vendors. Source identities never in client-facing deliverables. Signal for sensitive sources. Encrypted storage minimum AES-256. Dedicated VPN for all network communications.

Segment 24 | Operations Playbook - Intelligence Partners | CryptoMize Proprietary Research | March 2026