Breaking: Large-scale Indian Cyber Attack on Pakistan for Intelligence Gathering Gets Uncovered

Large Scale Indian Cyber Attack for Intelligence Gathering from Pakistani Computers Gets Uncovered
Part of a PDF decoy from one of the malicious installers (md5 06e80767048f3edefc2dea301924346c).

In a shocking development, a large scale cyber attack at Pakistan – aimed at gathering military scale, government and corporate data – emanating from India has been uncovered by Norman, a global security leader in malware analysis for enterprises.

Norman Securities, based out of Oslo, Norway, in its report titled “Unveiling an Indian Cyber-attack Infrastructure”, said that Indian cyber attack aimed at Pakistan and other countries could be as old as three years or close to four years.

Report said that this large and sophisticated cyber-attack infrastructure, dubbed as Operation Hangover, originated from India and is aimed at collecting military-scale data, government information and corporate data.

Norman said that primary purpose of the global command-and-control network – used in the attack – appears to be intelligence gathering from a combination of national security targets and private sector companies.

“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” commented Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway.

“The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”

The investigation revealed evidence of professional project management practices used to design frameworks, modules, and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers. “Something like this has never been documented before,” Fagerland added.

The discovery is currently under investigation by national and international authorities.

Norman said that tips on discovery of Indian Cyber Attack were first hinted when Telenor registered a complaint with Norwegian police for illegal computer intrusion into its computers.

Report said that major method for infecting computers included injecting a word file embedded with malware code. Upon opening the file, the malware code gets executed and infects the computer.

It merits mentioning here that China and USA have been using such techniques in past to gather intelligence from various countries. STUXNET and Flame were two such American-developed viruses to infect Iranian nuclear program and to gather intelligence from Middle Eastern countries.

More details on Indian cyber attack are given below:

Cyberattack Objectives

The primary purpose of this long-running, global command-and-control net-work appears to be surveillance against national security interests, said Norman. Private-sector industrial espionage in fields as diverse as natural resources, telecommunications, law, food & restaurants, and manufacturing is likely a secondary purpose of this network.

Target Selection

Based on analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in over a dozen countries, most heavily represented by Pakistan, Iran, and the United States. Targets include government, military, and civilian organizations

Highly-Targeted Social Engineering Tactics

Spear phishing to carefully-selected target individuals was the primary attack vector identified in the investigation. The attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible.

In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.

Exploit Tools and Techniques

Despite all of the recent media attention on so-called “zero-day” exploits en-compassing brand new, never-before-seen attack methods, Operation Hangover appears to have relied exclusively upon well-known, previously identified vul-nerabilities in Java, Word documents, and web browsers.

Major methods include documents infected with malicious code, along with direction to malicious websites with names deliberately similar to legitimate government, entertainment, security related, and commercial sites. Often the user would be presented with a legitimate document or software download they were expecting to see, along with an unseen malicious download.

Infrastructure Development

Operation Hangover utilizes a very extensive and sophisticated command-and-control infrastructure, likely developed over many months or years by numerous developers. Norman said that its investigation revealed evidence of professional project management practices used to design frameworks, modules, and sub-components. Individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers.

Attribution of Responsibility

In recent months, much focus has been on China – including both state-sponsored and individual actors – but Operation Hangover contains notable hallmarks of originating exclusively in India. Norman said that it is naming India with very high degree of confidence based on extensive analysis of IP addresses, web-site domain registrations, and text-based identifiers contained within the malicious code itself.

All indications point to private syndicates of threat actors following their own motivations, with no direct evidence of state-sponsorship by the Indian government or by any other nation.

Complete report by Norman uncovering Indian Cyber Attacks can be viewed here.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK

  • Zain

    and the cyber gorilla war is to begin!!

    • Ali

      i think you mean ‘guerrilla’

      • Zain

        yep sorry for spellings mistake!!

      • LifeH2O

        desi english spell cheker troll

        • Sam

          I think you mean ‘checker’.

          • LifeH2O

            troll proved

  • AbdullahK

    It has been begun! But we are Pakistani, We need Food, Food, Food and
    Food….. Luxury and only Luxury…. We are men not soldiers…. Our
    enemy are only Taliban, (whom we attacked only and only on American
    Order….) and except them, The Israil, America (whose Agents are
    arrested red handed), Baharat (Aman ki Aasha) Iran (Who have openly
    supported Shia Terrorists in Karachi, Quetta and Gilgit and have dealt
    with PPP and MQM for accepting Gas Project, which will at last make
    Pakistan more weak) and other Anti-Pakistan and Anti Islam Countries are
    our beloved Friends.

    • Waqas Ahmad Khan


    • m ali khan

      a broud son of al-Bakistan

    • Hassaan

      What about Saudi? Who are funding Taliban & target killings against Shia?
      What dangers gas project from Iran has for Pakistan?

    • a pakistani

      Abdullah bahi aap to ghusa ker gay :) hamara masla Bijli bhi to hai :) and since you jumped into conclusion yrself, kidnly do identify the role of Saudi and Lebanon’s govt :) aap kay jawab ka intezar rehay ga :)

    • Raja Umar

      abdullahk u really know anything at all?? or just wanted to BS because unlike most people here, u dint have enough GK which led u to say just anything because u also wanted to participate :P??? a word of advise brother…whether u need it or not i dont care :P… plz start watching news/current affairs as much as u can…instead of wasting all your precious time in listening to those fake (saudi funded) mullas in terrorism-generating/taliban-influenced madrasaas!!! u’ll do urself a great favor really man….

    • saliraza

      Do you have any evidence for the shit you split about Iran? IF NO than you don’t have right to speak about someone’s sect/religion nation or country. IF Shia are the Terrorists than who is killing them in Karachi and Quetta? Do you mean they are killing them self? Come on man Don’t make your judgement without logical evidence. Thanks for understanding

  • prwansome

    Well, if they have developed such techniques to intrude, and just gather data, how about this that we have gathered Blueprints of the Indian Missile ranges to the Russian Based Torpedoes to Their Telecom Structures?

    What more , the thing is , they get uncovered, and we sneak in, find and self-destruct…. We are Pakistani, if we have developed World’s first virus, surely, we can develop the least one too…

    So don’t worry… We are there aswell :)

  • S.A.Khan

    @AbdullahK If you count Iran for supporting Shia terrorists then don’t forget to mention Saudia for supporting Wahabi extremists in Pakistan (Sipah Sahaba, Lashkar e jhangwi)

  • Taha Ali Adil

    I know some of the companies who are solding Andriod & Iphone Spying
    Application In Pakistan which was developed in India – Retired Indian ARMY Personals CEO.

  • It’s a matter of great concern that very few companies, private or public, even know about Information and IT Security.

    Most companies run pirated software, install anything from the internet and have no access controls. They even install pirated anti virus.

    These attackers need access to machines, which they gain from injecting nefarious code into well known software (Windows, Office, Adobe etc).

    There are free alternatives available that work just as good and don’t come with the risk of malware.

    Pakistani businesses need to realize that there is dire need of Information security protocols.

    M Umair

    • Umair,
      Yes you’ve pointed the path. But who will “ensure” these companies take such precautions?
      Our government is “very” busy in playing politics. They are the champs of politics!
      A proper system is what we need in this matter. Why as a company I’d spend millions of $$$ on these? ONLY if the government asks me to.

  • Muhammad Waqas

    hahahahaha guy. for your kind info . Armed forces are not connected to any public network. dont worry

    • Waqas

      No, don’t be so sure.