APT infrastructure infecting a wide range of sectors detected in India

News by Dan Raywood

A large attack infrastructure has been detected as having originated in India.

A large attack infrastructure has been detected as having originated in India.

According to the report by Norman Shark's security analyst team, the infrastructure appears to have originated from India and began three years ago and is still ongoing. The report said that the attacks showed no evidence of state sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies.

Based on an analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in more than a dozen countries. Attribution to India was based on an extensive analysis of IP addresses, website domain registrations and text-based identifiers contained within the malicious code itself.

The report claimed that the campaign named ‘Operation Hangover' relied on well-known previously identified vulnerabilities in Java, Word documents and web browsers, which suggests that the targeted government, military and business organisations were not up-to-date on patches.

The discovery began on 17th March, when a Norwegian newspaper reported that telco Telenor had filed a criminal police case for an unlawful computer intrusion and the amount of malware found by Norman Shark analysts revealed that the intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.

Norman Shark deemed the primary purpose of this attack to be surveillance against national security interests, with potential victims targeted in over a dozen countries, particularly Pakistan, Iran and the United States.

The intrusion was achieved by spear phishing attacks, with the report claiming that "the attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible".

It said: “In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.

“Favoured methods include documents infected with malicious code, along with direction to malicious websites with names deliberately similar to legitimate government, entertainment, security related and commercial sites. Often the user would be presented with a legitimate document or software download they were expecting to see, along with an unseen malicious download.”

Snorre Fagerland, head of research at Norman Shark labs, said: “The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware.

“The investigation revealed evidence of professional project management practices used to design frameworks, modules and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were 'outsourced' to what appear to be freelance programmers. Something like this has never been documented before.”

Fagerland also said that what was surprising was the extreme diversity of the sectors targeted, which included natural resources, telecommunications, law, restaurants and manufacturing.  “It is highly unlikely that this organisation of hackers would be conducting industrial espionage for just its own purposes - which makes this of considerable concern,” he said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews