In a shocking development, a large scale cyber attack at Pakistan – aimed at gathering military scale, government and corporate data – emanating from India has been uncovered by Norman, a global security leader in malware analysis for enterprises.
Norman Securities, based out of Oslo, Norway, in its report titled “Unveiling an Indian Cyber-attack Infrastructure”, said that Indian cyber attack aimed at Pakistan and other countries could be as old as three years or close to four years.
Report said that this large and sophisticated cyber-attack infrastructure, dubbed as Operation Hangover, originated from India and is aimed at collecting military-scale data, government information and corporate data.
Norman said that primary purpose of the global command-and-control network – used in the attack – appears to be intelligence gathering from a combination of national security targets and private sector companies.
“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” commented Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway.
“The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”
The investigation revealed evidence of professional project management practices used to design frameworks, modules, and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers. “Something like this has never been documented before,” Fagerland added.
The discovery is currently under investigation by national and international authorities.
Norman said that tips on discovery of Indian Cyber Attack were first hinted when Telenor registered a complaint with Norwegian police for illegal computer intrusion into its computers.
Report said that major method for infecting computers included injecting a word file embedded with malware code. Upon opening the file, the malware code gets executed and infects the computer.
It merits mentioning here that China and USA have been using such techniques in past to gather intelligence from various countries. STUXNET and Flame were two such American-developed viruses to infect Iranian nuclear program and to gather intelligence from Middle Eastern countries.
More details on Indian cyber attack are given below:
The primary purpose of this long-running, global command-and-control net-work appears to be surveillance against national security interests, said Norman. Private-sector industrial espionage in fields as diverse as natural resources, telecommunications, law, food & restaurants, and manufacturing is likely a secondary purpose of this network.
Based on analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in over a dozen countries, most heavily represented by Pakistan, Iran, and the United States. Targets include government, military, and civilian organizations
Highly-Targeted Social Engineering Tactics
Spear phishing to carefully-selected target individuals was the primary attack vector identified in the investigation. The attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible.
In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.
Exploit Tools and Techniques
Despite all of the recent media attention on so-called “zero-day” exploits en-compassing brand new, never-before-seen attack methods, Operation Hangover appears to have relied exclusively upon well-known, previously identified vul-nerabilities in Java, Word documents, and web browsers.
Major methods include documents infected with malicious code, along with direction to malicious websites with names deliberately similar to legitimate government, entertainment, security related, and commercial sites. Often the user would be presented with a legitimate document or software download they were expecting to see, along with an unseen malicious download.
Operation Hangover utilizes a very extensive and sophisticated command-and-control infrastructure, likely developed over many months or years by numerous developers. Norman said that its investigation revealed evidence of professional project management practices used to design frameworks, modules, and sub-components. Individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers.
Attribution of Responsibility
In recent months, much focus has been on China – including both state-sponsored and individual actors – but Operation Hangover contains notable hallmarks of originating exclusively in India. Norman said that it is naming India with very high degree of confidence based on extensive analysis of IP addresses, web-site domain registrations, and text-based identifiers contained within the malicious code itself.
All indications point to private syndicates of threat actors following their own motivations, with no direct evidence of state-sponsorship by the Indian government or by any other nation.
Complete report by Norman uncovering Indian Cyber Attacks can be viewed here.