Indian Hacker Group Involved in Cyber Attacks in Pakistan, China

Indian state-sponsored hacking APT group PatchWork is involved in cyber-attacks in Pakistan.

According to the advisory issued by the Cabinet Division, the PatchWork group has actively targeted Chinese and Pakistan state institutions for data exfiltration.

According to the advisory, PatchWork, also known as Mahabusa and White Elephant is an Indian APT group present in Cyberspace since 2015. The APT group came into the limelight in 2017 when various cybersecurity researchers identified its modus operandi and nefarious operations.

According to the Cabinet Division, PatchWork primarily targets Asian regions. It mainly uses spear phishing emails, whaling, social engineering, and masquerading techniques (crafted malicious emails, fake rating websites appearing to be legitimate to gain users’ trust, and SM links to download malicious mobile apps) to execute Cyber-attacks on regional countries including Pakistan and China.

According to the advisory, PatchWork uses Android RAT, Bad News RAT, and file Stealer Malware to exploit users. The security agencies have identified some URLs and malicious Attachments during the investigation. Domains Filepiece.com, Techwatch.com, and Bingoplant.live are found involved in this activity and Cabinet Division advised to block these URLs and it has also issued a list of malicious links for blockage.

The cabinet division has asked government officials to don’t share personal details and credentials with unauthorized and suspicious users, websites, applications, etc., and never install unknown and suspicious applications. It has also suggested government officials not to click on unknown links and attachments. and always type URLs in the browser rather than clicking on links.

The advisory has asked government officials to always open websites with https and avoid visiting http websites and not use personal accounts on official systems. It has also recommended government officials to not follow web links in emails to avoid Social Engineering and Phishing Attacks.

The advisory has asked government departments and officials to train users to recognize and report phishing attempts and to use multi-factor authentication where possible. It has also advised to regularly review application permission, system running processes, and storage utilization.

The advisory has asked the government departments and officials to Use reputed and licensed business email gateways, anti-phishing and anti-spam solutions. It has also suggested to always scan every document before opening or downloading via built-in anti-virus on mailing servers. According to the cabinet division application whitelisting is ensured by allowing only specified applications to run and block all other applications.

According to the advisory, the organizations should have a timely vulnerability detection and patch management program in place. End-point protection systems to be kept updated and Windows Defender should always be active to ensure that malware execution is hindered. It has also suggested the timely updating of all applications and operating systems and the use of separate and complex passwords for each system, mobile, SM accounts, financial and mailing accounts, etc.

The cabinet division has suggested disabling the execution of PowerShell or Command line for normal users through Access control and Active Directory. It has also advised to use well-reputed and updated antivirus or antimalware for computer and mobile and disable macros on documents (MS Excel, MS PowerPoint, MS Word, etc.

The advisory has also asked the administrators to monitor networks including file hashes, file locations, logins, and unsuccessful login attempts, and use reputed firewalls, IPS/IDS, and SIEM solutions. It has also asked the administrators to use separate servers/routing for offline LAN and online networks and restrict incoming traffic and user permissions to a maximum extent by implementing system hardening at OS, BIOS, and application levels.

The advisory has also asked the administrators to allow internet access to specific users on a need basis restrict data usage/applications rights and verify software and documents before downloading via digital code-signing technique. It has also advised the implementation of MFA in the mailing system’s administrator controls and other critical systems and regularly changes passwords at the administrator level.