Unravelling AI-Generated Misinformation in the 'Delhi Chalo' Farmers' Protest

The race for global leadership in AI is in full force. As China and the US emerge as the ‘AI Superpowers’ in the world, the world grapples with the questions around AI governance, ethics, regulation, and safety. Some are calling this an ‘AI Arms Race.’ Most of the applications of these AI systems are in large language models for commercial use or military applications. Countries like Germany, Japan, France, Singapore, and India are now participating in this race and are not mere spectators. 

The Government of India’s Ministry of Electronics and Information Technology (MeitY) has launched the IndiaAI Mission, an umbrella program for the use and development of AI technology. This MeitY initiative lays the groundwork for supporting an array of AI goals for the country. The government has allocated INR 10,300 crore for this endeavour. This mission includes pivotal initiatives like the IndiaAI Compute Capacity, IndiaAI Innovation Centre (IAIC), IndiaAI Datasets Platform, IndiaAI Application Development Initiative, IndiaAI FutureSkills, IndiaAI Startup Financing, and Safe & Trusted AI.

There are several challenges and opportunities that India will have to navigate and capitalize on to become a significant player in the global AI race. The various components of India’s ‘AI Stack’ will have to work well in tandem to create a robust ecosystem that yields globally competitive results. The IndiaAI mission focuses on building large language models in vernacular languages and developing compute infrastructure. There must be more focus on developing good datasets and research as well.

Resource Allocation and Infrastructure Development

The government is focusing on building the elementary foundation for AI competitiveness. This includes the procurement of AI chips and compute capacity, about 10,000 graphics processing units (GPUs), to support India’s start-ups, researchers, and academics. These GPUs have been strategically distributed, with 70% being high-end newer models and the remaining 30% comprising lower-end older-generation models. This approach ensures that a robust ecosystem is built, which includes everything from cutting-edge research to more routine applications. A major player in this initiative is Yotta Data Services, which holds the largest share of 9,216 GPUs, including 8,192 Nvidia H100s. Other significant contributors include Amazon AWS's managed service providers, Jio Platforms, and CtrlS Datacenters. 

Policy Implications: Charting a Course for Tech Sovereignty and Self-reliance

With this government initiative, there is a concerted effort to develop indigenous AI models and reduce tech dependence on foreign players. There is a push to develop local Large Language Models and domain-specific foundational models, creating AI solutions that are truly Indian in nature and application. Many advanced chip manufacturing takes place in Taiwan, which has a looming China threat. India’s focus on chip procurement and GPUs speaks to a larger agenda of self-reliance and sovereignty, keeping in mind the geopolitical calculus. This is an important thing to focus on, however, it must not come at the cost of developing the technological ‘know-how’ and research. 

Developing AI capabilities at home also has national security implications. When it comes to defence systems, control over AI infrastructure and data becomes extremely important. The IndiaAI Mission will focus on safe and trusted AI, including developing frameworks that fit the Indian context. It has to be ensured that AI applications align with India's security interests and can be confidently deployed in sensitive defence applications.

The big problem here to solve here is the ‘data problem.’ There must be a focus on developing strategies to mitigate the data problem that disadvantages the Indian AI ecosystem. Some data problems are unique to India, such as generating data in local languages. While other problems are the ones that appear in every AI ecosystem development lifecycle namely generating publicly available data and licensed data. India must strengthen its ‘Digital Public Infrastructure’ and data commons across sectors and domains.

India has proposed setting up the India Data Management Office to serve as India’s data regulator as part of its draft National Data Governance Framework Policy. The MeitY IndiaAI expert working group report also talked about operationalizing the India Datasets Platform and suggested the establishment of data management units within each ministry.

Economic Impact: Growth and Innovation

The government’s focus on technology and industry has far-reaching economic implications. There is a push to develop the AI startup ecosystem in the country. The IndiaAI mission heavily focuses on inviting ideas and projects under its ambit. The investments will strengthen the IndiaAI startup financing system, making it easier for nascent AI businesses to obtain capital and accelerate their development from product to market. Funding provisions for industry-led AI initiatives that promote social impact and stimulate innovation and entrepreneurship are also included in the plan. The government press release states, "The overarching aim of this financial outlay is to ensure a structured implementation of the IndiaAI Mission through a public-private partnership model aimed at nurturing India’s AI innovation ecosystem.”

The government also wants to establish India as a hub for sustainable AI innovation and attract top AI talent from across the globe. One crucial aspect that needs to be worked on here is fostering talent and skill development. India has a unique advantage, that is, top-tier talent in STEM fields. Yet we suffer from a severe talent gap that needs to be addressed on a priority basis. Even though India is making strides in nurturing AI talents, out-migration of tech talent is still a reality. Once the hardware manufacturing “goods-side” of economics transitions to service delivery in the field of AI globally, India will need to be ready to deploy its talent. Several structural and policy interfaces, like the New Education Policy and industry-academic partnership frameworks, allow India to capitalize on this opportunity. 

India’s talent strategy must be robust and long-term, focusing heavily on multi-stakeholder engagement. The government has a pivotal role here by creating industry-academia interfaces and enabling tech hubs and innovation parks.

India's Position in the Global AI Race

India’s foreign policy and geopolitical standpoint have been one of global cooperation. This must not change when it comes to AI. Even though this has been dubbed as the “AI Arms Race,” India should encourage worldwide collaboration on AI R&D through collaboration with other countries in order to strengthen its own capabilities. India must prioritise more significant open-source AI development, work with the US, Europe, Australia, Japan, and other friendly countries to prevent the unethical use of AI and contribute to the formation of a global consensus on the boundaries for AI development. 

The IndiaAI Mission will have far-reaching implications for India’s diplomatic and economic relations. The unique proposition that India comes with is its ethos of inclusivity, ethics, regulation, and safety from the get-go. We should keep up the efforts to create a powerful voice for the Global South in AI. The IndiaAI Mission marks a pivotal moment in India's technological journey. Its success could not only elevate India's status as a tech leader but also serve as a model for other nations looking to harness the power of AI for national development and global competitiveness. In conclusion, the IndiaAI Mission seeks to strengthen India's position as a global leader in AI, promote technological independence, guarantee the ethical and responsible application of AI, and democratise the advantages of AI at all societal levels.

References

• ​​Ashwini Vaishnaw to launch IndiaAI portal, 10 firms to provide 14,000 GPUs. (2025, February 17). https://www.business-standard.com/. Retrieved February 25, 2025, from https://www.business-standard.com/industry/news/indiaai-compute-portal-ashwini-vaishnaw-gpu-artificial-intelligence-jio-125021700245_1.html
• Global IndiaAI Summit 2024 being organized with a commitment to advance responsible development, deployment and adoption of AI in the country. (n.d.). https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2029841
• India to Launch AI Compute Portal, 10 Firms to Supply 14,000 GPUs. (2025, February 17). apacnewsnetwork.com. https://apacnewsnetwork.com/2025/02/india-to-launch-ai-compute-portal-10-firms-to-supply-14000-gpus/
• INDIAai | Pillars. (n.d.). IndiaAI. https://indiaai.gov.in/
• IndiaAI Innovation Challenge 2024 | Software Technology Park of India | Ministry of Electronics & Information Technology Government of India. (n.d.). http://stpi.in/en/events/indiaai-innovation-challenge-2024
• IndiaAI Mission To Deploy 14,000 GPUs For Compute Capacity, Starts Subsidy Plan. (2025, February 17). www.businessworld.in. Retrieved February 25, 2025, from https://www.businessworld.in/article/indiaai-mission-to-deploy-14000-gpus-for-compute-capacity-starts-subsidy-plan-548253
• India’s interesting AI initiatives in 2024: AI landscape in India. (n.d.). IndiaAI. https://indiaai.gov.in/article/india-s-interesting-ai-initiatives-in-2024-ai-landscape-in-india
• Mehra, P. (2025, February 17). Yotta joins India AI Mission to provide advanced GPU, AI cloud services. Techcircle. https://www.techcircle.in/2025/02/17/yotta-joins-india-ai-mission-to-provide-advanced-gpu-ai-cloud-services/
• IndiaAI 2023: Expert Group Report – First Edition. (n.d.). IndiaAI. https://indiaai.gov.in/news/indiaai-2023-expert-group-report-first-edition
• Satish, R., Mahindru, T., World Economic Forum, Microsoft, Butterfield, K. F., Sarkar, A., Roy, A., Kumar, R., Sethi, A., Ravindran, B., Marchant, G., Google, Havens, J., Srichandra (IEEE), Vatsa, M., Goenka, S., Anandan, P., Panicker, R., Srivatsa, R., . . . Kumar, R. (2021). Approach Document for India. In World Economic Forum Centre for the Fourth Industrial Revolution, Approach Document for India [Report]. https://www.niti.gov.in/sites/default/files/2021-02/Responsible-AI-22022021.pdf
• Stratton, J. (2023, August 10). Those who solve the data dilemma will win the A.I. revolution. Fortune. https://fortune.com/2023/08/10/workday-data-ai-revolution/
• Suri, A. (n.d.). The missing pieces in India’s AI puzzle: talent, data, and R&D. Carnegie Endowment for International Peace. https://carnegieendowment.org/research/2025/02/the-missing-pieces-in-indias-ai-puzzle-talent-data-and-randd?lang=en
• The AI arms race. (2024, February 13). Financial Times. https://www.ft.com/content/21eb5996-89a3-11e8-bf9e-8771d5404543

‍

Introduction

A zero-click cyber attack solely relies on software and hardware flaws, bypassing any human factor to infect a device and take control over its data. It is almost impossible to discover the attack and know that the device is hacked unless someone on your side is closely monitoring your network traffic data.

At Kaspersky, security analysts used their SIEM solution KUMA to monitor their corporate WiFi network traffic and discovered this mysterious attack. They took necessary actions to investigate it and even went a step further to dive right into the action and uncover the entire attack chain.

A few months ago, Kaspersky shared their findings about this attack on iOS devices. They shared how these zero-click vulnerabilities were being exploited by the attackers and called this attack ‘Operation Triangulation’.

A zero-click exploit in the network

Kaspersky detected a zero-click attack on the iPhones of their colleagues while monitoring their corporate WiFi network traffic. They managed to get detailed information on all the stages of the attack by simply identifying a pattern in the domain names flowing through their network. Although the attackers were quite experienced, their mistakes helped Kaspersky detect critical vulnerabilities in all iOS devices.

The name-pattern

These previously unsuspected domains had a similar name-style which consisted of two names and ended with ‘.com’, such as ‘backuprabbit.com’ and ‘cloudsponcer.com’. They were used in pairs, one for an exportation process and the other served as a command and control server. These domains showed high outbound traffic, they were registered with NameCheap and protected with Cloudflare.

The network pattern

Each time a connection to these suspicious domains was made, it was preceded by an iMessage connection which indicated these domains are being accessed by iOS devices. It was observed that the devices connected to these domains, downloaded attachments, performed a few requests to a first level domain which was an exploitation framework server, then made regular connections with the second level domain which was a command and control server controlled by the attackers.

Getting more information

To get more information about the attack all the infected devices were collected and backed up after carefully informing the device owners. Although the attackers had managed to clean their artefacts, the backed up data was used to perform digital forensic procedures and find traces of the attacks. This helped Kaspersky to figure out how the infection might be taking place.

The attacker’s mistakes

The attackers deleted all the attachment files and exploits but did not delete the modified SMS attachment folder. That folder had no files left inside it. The attackers removed evidence from other databases as well, like the ‘SMS.db’ database, however another database called ‘datausage.sqlite’ was not sanitised.

The ‘datausage.sqlite’ database is the most important database when it comes to iOS forensics as its contents can be used to track applications and network usage. Upon examination of this database, a process logged as ‘BackupAgent’ was found to be making network connections at the same time the device was making connections to the suspicious domains.

The indicator of compromise

‘BackupAgent’ stood out in this scenario because although it is a legitimate binary, it has been deprecated since iOS4 and it should not have been making any network connections. This identified the ‘BackupAgent’ process as the first solid indicator of compromise in Operation Triangulation. The indicator is termed as- ‘Data usage by process BackupAgent’, and was used to determine if any specific device was infected.

Taking it a step ahead

The team at Kaspersky successfully identified the indicator of compromise and determined which devices were infected, but as the attackers were experienced enough to delete their payloads, they decided to set a trap and perform a man-in-the-middle attack. When they did, the attackers were unable to detect it.

The man-in the-middle attack

Kaspersky prepared a server with ‘WireGuard’ and ‘mitmproxy’. They installed root certificates on devices that could be used as targets for the attackers and routed all the network traffic to that server. They also developed a ‘Telegram’ bot to notify them about new infections as they decrypted the network traffic.

Setting up a bot proved to be an effective way of real time monitoring while modifying all the network packets on-the-fly with ‘mitmproxy’, this gave them unlimited power! Their trap was successful in capturing a payload sent by the attackers and it was analysed in detail.

The name was in the payload

The payload was an HTML page with obfuscator javascript which performed various code checks and canvas footprinting. It rendered a yellow triangle and calculated its hash value. This is why the operation was named Operation Triangulation.

The team at Kaspersky started cracking various layers of asymmetric cryptography with regular expressions. They patched the stages one-by-one on the fly to move the logic from each stage to ‘mitmproxy’ and finally implemented a 400 line ‘mitmproxy’ add-on. This add-on decrypted all the validators, exploits, spyware and additional modules.

The mystery 

It is remarkable how Kaspersky detected the attack and identified multiple vulnerabilities, set up a trap to capture a payload and decrypted it completely. They shared all their findings with the device manufacturer and Apple responded by sending out a security patch update addressing four zero-day vulnerabilities. 

A zero-click vulnerability

Traditionally any spyware relies on the user to to click on a compromised link or file to initiate the infection. However a zero-click vulnerability is a specific flaw in the device software or hardware that the attacker can use to infect the device without the need for a click or tap from the user.

The vulnerabilities identified

1. Tricky Font Flaw (CVE-2023-41990): A clandestine method involving the manipulation of font rendering on iPhones, akin to a secret code deciphered by the attackers.Apple swiftly addressed this vulnerability in versions iOS 15.7.8 and iOS 16.3.

2. Kernel Trick (CVE-2023-32434): Exploiting a hidden language understood only by the iPhone's core, the attackers successfully compromised the kernel's integrity.Apple responded with fixes implemented in iOS 15.7.7, iOS 15.8, and iOS 16.5.1.

3. Web Sneakiness (CVE-2023-32435): Leveraging a clever ploy in the interpretation of web content by iPhones, the attackers manipulated the device's behaviour.Apple addressed this vulnerability in iOS 15.7.7 and iOS 16.5.1.

4. Kernel Key (CVE-2023-38606): The pinnacle of the operation, the attackers discovered a covert method to tamper with the iPhone's core, the kernel.Apple responded with a fix introduced in iOS 16.6, thwarting the intrusion into the most secure facets of the iPhone

Still, how these attackers were able to find this critical vulnerability in a device which stands out for it’s security features is still unknown.

CyberPeace Advisory

Zero-click attacks are a real threat, but you can defend yourself. Being aware of the risks and taking proactive steps can significantly reduce vulnerability. Regularly installing the latest updates for your operating system, apps, and firmware helps patch vulnerabilities before attackers can exploit them.

• Keep your software updated as they contain crucial security patches that plug vulnerabilities before attackers can exploit them.
• Use security software to actively scan for suspicious activity and malicious code, acting as a first line of defence against zero-click intrusions.
• Be cautious with unsolicited messages if the offer seems too good to be true or the link appears suspicious as it can contain malware that can infect your device.
• Disable automatic previews as it can potentially trigger malicious code hidden within the content.
• Be mindful of what you install and avoid unverified apps and pirated software, as they can be Trojan horses laden with malware.
• Stay informed about the latest threats and updates by following reliable news sources and security blogs to stay ahead of the curve, recognize potential zero-click scams and adjust your behaviour accordingly.

Check out our (advisory report)[add report link] to get in depth information.

Conclusion

Operation Triangulation stands as a testament to the continuous cat-and-mouse game between cybercriminals and tech giants. While the covert spy mission showcased the vulnerabilities present in earlier iPhone versions, Apple's prompt response underscores the commitment to user security. As the digital landscape evolves, vigilance, timely updates, and collaborative efforts remain essential in safeguarding against unforeseen cyber threats.

References:

1. Operation Triangulation: iOS devices targeted with previously unknown malware | Securelist, 1 June, 2023
2. Operation Triangulation: The last (hardware) mystery | Securelist, 27 December, 2023.
3. 37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers (youtube.com), 29 December,2023

Introduction

In the sprawling online world, trusted relationships are frequently taken advantage of by cybercriminals seeking to penetrate guarded systems. The Watering Hole Attack is one advanced method, which focuses on a user’s ecosystem by compromising the genuine sites they often use. This attack method is different from phishing or direct attacks as it quietly exploits the everyday browsing of the target to serve malicious content. The quiet and exact nature of watering hole attacks makes them prevalent amongst Advanced Persistent Threat (APT) groups, especially in conjunction with state-sponsored cyber-espionage operations.

‍

What Qualifies as a Watering Hole Attack?  

A Watering Hole Attack targets and infects a trusted website. The targeted website is one that is used by a particular organization or community, such as a specific industry sector. This type of cyberattack is analogous to the method of attack used by animals and predators waiting by the water’s edge for prey to drink. Attackers prey on their targets by injecting malicious code, such as an exploit kit or malware loader, into websites that are popular with their victims. These victims are then infected when they visit said websites unknowingly. This opens as a gateway for attackers to infiltrate corporate systems, harvest credentials, and pivot across internal networks. 

‍

How Watering Hole Attacks Unfold

The attack lifecycle usually progresses as follows:

• Reconnaissance - Attackers gather intelligence on the websites frequented by the target audience, including specialized communities, partner websites, or local news sites.  
• Website Exploitation - Through the use of outdated CMS software and insecure plugins, attackers gain access to the target website and insert malicious code such as JS or iframe redirections.  
• Delivery and Exploitation - The visitor’s browser executes the malicious code injected into the page. The code might include a redirection payload which sends the user to an exploit kit that checks the user’s browser, plugins, operating system, and other components for vulnerabilities.  
• Infection and Persistence - The infected system malware such as RATs, keyloggers, or backdoors. These enable lateral and long-term movements within the organisation for espionage.  
• Command and Control (C2) - For further instructions, additional payload delivery, and stolen data retrieval, infected devices connect to servers managed by the attackers.

‍

Key Features of Watering Hole Attacks  

• Indirect Approach: Instead of going after the main target, attackers focus on sites that the main target trusts.  
• Supply-Chain-Like Impact: An infected industry portal can affect many companies at the same time.  
• Low Profile: It is difficult to identify since the traffic comes from real websites.  
• Advanced Customization: Exploit kits are known to specialize in making custom payloads for specific browsers or OS versions to increase the chance of success.  

‍

Why Are These Attacks Dangerous?  

Worming hole attacks shift the battlefield to new grounds in cyber warfare on the web. They eliminate the need for firewalls, email shields, and other security measures because they operate on the traffic to and from real, trusted websites. When the attacks work as intended, the following consequences can be expected:  

• Stealing Credentials: Including privileged accounts and VPN credentials.  
• Espionage: Theft of intellectual property, defense blueprints, or government confidential information.  
• Supply Chain Attacks: Resulting in a series of infections among related companies.  
• Zero-Day Exploits: Including automated attacks using zero-day exploits for full damage.

‍

Incidents of Primary Concern  

The implications of watering hole attacks have been felt in the real world for quite some time. An example from 2019 reveals this, where a known VoIP firm’s site was compromised and used to spread data-stealing malware to its users. Likewise, in 2014, the Operation Snowman campaign—which seems to have a state-backed origin—attempted to infect users of a U.S. veterans’ portal in order to gain access to visitors from government, defense, and related fields. Rounding up the list, in 2021, cybercriminals attacked regional publications focusing on energy, using the publications to spread malware to company officials and engineers working on critical infrastructure, as well as to steal data from their systems. These attacks show the widespread and dangerous impact of watering hole attacks in the world of cybersecurity.

‍

Detection Issues  

Due to the following reasons, traditional approaches to security fail to detect watering hole attacks:  

• Use of Authentic Websites: Attacks involving trusted and popular domains evade detection via blacklisting.  
• Encrypted Traffic: Delivering payloads over HTTPS conceals malicious scripts from being inspected at the network level.  
• Fileless Methods: Using in-memory execution is a modern campaign technique, and detection based on signatures is futile.

‍

Mitigation Strategies

To effectively neutralize the threat of watering hole attacks, an organization should implement a defense-in-depth strategy that incorporates the following elements:

1. Patch Management and Hardening - 

• Conduct routine updates on operating systems, web browsers, and extensions to eliminate exploit opportunities. 
• Either remove or reduce the use of high-risk elements such as Flash and Java, if feasible. 

2. Network Segmentation - Minimize lateral movement by isolating critical systems from the general user network.
3. Behavioral Analytics - Implement Endpoint Detection and Response (EDR) tools to oversee unusual behaviors on processes—for example, script execution or dubious outgoing connections. 
4. DNS Filtering and Web Isolation - Implement DNS-layer security to deny access to known malicious domains and use browser isolation for dangerous sites. 
5. Threat Intelligence Integration - Track watering hole threats and campaigns for indicators of compromise (IoCs) on advisories and threat feeds.
6. Multi-Layer Email and Web Security - Use web gateways integrated with dynamic content scanning, heuristic analysis, and sandboxing. 
7. Zero Trust Architecture - Apply least privilege access, require device attestation, and continuous authentication for accessing sensitive resources.

‍

Incident Response Best Practices 

• Forensic Analysis: Check affected endpoints for any mechanisms set up for persistence and communication with C2 servers. 
• Log Review: Look through proxy, DNS, and firewall logs to detect suspicious traffic. 
• Threat Hunting: Search your environment for known Indicators of Compromise (IoCs) related to recent watering hole attacks. 
• User Awareness Training: Help employees understand the dangers related to visiting external industry websites and promote safe browsing practices. 

‍

The Immediate Need for Action

The adoption of cloud computing and remote working models has significantly increased the attack surface for watering hole attacks. Trust and healthcare sectors are increasingly targeted by nation-state groups and cybercrime gangs using this technique. Not taking action may lead to data leaks, legal fines, and break-ins through the supply chain, which damage the trustworthiness and operational capacity of the enterprise.

‍

Conclusion  

Watering hole attacks demonstrate how phishing attacks evolve from a broad attack to a very specific, trust-based attack. Protecting against these advanced attacks requires the zero-trust mindset, adaptive defenses, and continuous monitoring, which is multicentral security. Advanced response measures, proactive threat intelligence, and detection technologies integration enable organizations to turn this silent threat from a lurking predator to a manageable risk.

‍

References

• https://www.fortinet.com/resources/cyberglossary/watering-hole-attack
• https://en.wikipedia.org/wiki/Watering_hole_attack
• https://www.proofpoint.com/us/threat-reference/watering-hole
• https://www.techtarget.com/searchsecurity/definition/watering-hole-attack

‍