Researchers have uncovered a large and sophisticated cyber attack infrastructure that appears to have originated in India.

A group of attackers, based in India seem to have employed multiple developers to deliver specific malware for private threat actors, according to a report by malware analysis firm Norman Shark.

The report said the attacks, conducted over a period of three years and still ongoing, showed no evidence of state-sponsorship.

The primary purpose of the global command-and-control network is intelligence gathering from a combination of national security targets and private sector companies.

“The organisation appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world,” said Snorre Fagerland, head of research for Norman Shark labs.

“What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing,” he said.

Fagerland believes it is unlikely that this organisation of hackers would be conducting industrial espionage for just its own purposes.

The investigation revealed evidence of professional project management practices used to design frameworks, modules and subcomponents.

It seems that individual malware authors were assigned certain tasks and components were “outsourced” to what appear to be freelance programmers.

“Something like this has never been documented before," said Fagerland, adding that the discovery is under investigation by national and international authorities.

Researchers made the discovery while investigating data breaches at Norwegian telecommunications company Telenor.

Fagerland said the amount of malware found by Norman analysts and their partners was surprisingly large and it became clear the Telenor intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.

Analysis of IP addresses collected from criminal data stores showed that attacks targeted victims in more than a dozen countries.

Specific targets included government, military and business organisations, with attacks relying on well-known vulnerabilities in Java, Word documents and web browsers rather than unknown vulnerabilities.

Attribution to India is based on an extensive analysis of IP addresses, website domain registrations and text-based identifiers contained within the malicious code.

“This type of activity has been associated primarily with China, but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” said Fagerland.