New Indian subcontinent APT group emerges

A new APT group has emerged on the Indian subcontinent, identified by ForcePoint as 'Monsoon'

The Indian group have also been identified as Patchwork APT, Dropping Elephant and Operation Hangover.
The Indian group have also been identified as Patchwork APT, Dropping Elephant and Operation Hangover.

A group of hackers from the Indian subcontinent have been identified by researchers at ForcePoint. The Indian hackers are thought to have compromised what may be up to ‘thousands' of computers in a series of apparently disconnected hacks that are now thought to have come from this one central source.

The so-called ‘Monsoon Group' has also been known as Patchwork APT, Dropping Elephant and Operation Hangover. The hackers used a series of spear phishing emails to disseminate Word macros laden with malicious Trojans to enable potential remote code execution.

Although the attacks are thought to have been spread across more than 100 countries, the overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia.

ForcePoint researchers Andy Settle, Nicholas Griffin and Abel Toro explain that Monsoon used ‘command and control (C&C) infrastructures' built using RSS feeds and even GitHub accounts. In basic terms, a C&C infrastructure exists as a collection of , often virtualised, servers and supporting technical infrastructure elements, conduits and toolsets used to control the path of malware, which in particular feature botnet related activity.

Well done everyone, team effort!

The ForcePoint is said to have uncovered the hackers after building upon existing intelligence and research work carried out by Cymmetria, Kaspersky, and BlueCoat - some of which being initial research dating back to 2013 - making this unmasking in 2016 all the sweeter no doubt.

As a result of the research and investigations here, ForcePoint has produced as 57-page document entitled, ‘Monsoon – Analysis of an APT campaign: Espionage and data loss under the cover of current affairs'.

“Our Monsoon investigation has uncovered what is clearly a concerted and persistent campaign to steal sensitive data from a variety of critical sources. The use of both current and topical themes as lures, not only indicates the precision level of targeting but also the targeting decision process itself,” writes ForcePoint's head of special investigations Andy Settle.

Weaponised documents

The malware components used in Monsoon were typically distributed through weaponised documents sent through e-mail to specifically chosen targets. Themes of these documents are usually political in nature and taken from recent publications on topical current affairs.

“In today's world there is no space anymore for single-factor protection,” said Pavel Sotnikov, managing director for Eastern Europe, Caucasus and Central Asia at Qualys.  

Speaking to SCMagazineUK.com, Sotnikov suggested that companies should adopt Defence-in-Depth methodology for layered robust security measures.

“If we take website security as an example, there definitely should be continuous automated vulnerability testing both for the website and the infrastructure that supports it, moreover there should be security testing during all stages of the SDLC in addition to the secure coding practices,” she said.

Sotnikov added, “additionally, there should be Web Application Firewall for proactive protection. Ideally, all this should be complemented through regular manual penetration testing by qualified professionals.”

“Concentrate your efforts on appropriate risk mitigation, complemented with risk transfer activities, and you will prevent majority of incidents before they occur.”