09:05 AM

APT Attacks Trace To India, Researcher Says

Multi-year hacking campaign targeted mining companies, legal firms, Pakistan, Angolan dissidents and others in Pakistan, the U.S., Iran, China and Germany.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany.

Those findings come from "Unveiling an Indian Cyberattack Infrastructure," a new report from Norwegian security software vendor Norman that documents an APT campaign that began in 2010, if not earlier. According to the report, the APT campaign and related, malicious infrastructure has served "primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States."

Report co-author Snorre Fagerland, a principal security researcher in the Malware Detection Team at Norman Shark in Norway, said in an interview: "What we found surprised us a little bit, because we started out anticipating the Chinese, but the indicators we found pointed toward India."

[ Would better passwords have made a difference? Read How Password Strength Meters Can Improve Security. ]

Researchers also found multiple references to Appin, an Indian information security software vendor and "ethical hacking" training company. References included "appin" and "appinbot" in "cleartext project and debug path strings," according to Norman's report, and some domains used in the APT attacks appeared to have been registered with a corporate Appin email address before being hidden.

Norman's report said the Appin name-dropping is no smoking gun. "Maybe someone has tried to hurt Appin by falsifying evidence to implicate them," said the report. "Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations." But Adam Meyers, director of intelligence at CrowdStrike, told DarkReading: "I think it is highly unlikely Appin is not involved."

Contacted for comment, a spokesman for Appin in New Delhi strongly dismissed any suggestion that his company was connected with the APT campaign. "The Appin Security Group is no manner connected or involved with the activities as sought to be implied in the alleged report," he said in an emailed statement. "The reference to Appin Security Group in the report is malafide and made purely with an intention to slur the good name of Appin Security Group in the industry."

This isn't Norman's first foray into malware research. In Nov. 2012, the company discovered an unrelated, botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine.

Norman undertook a similar investigation -- on its own initiative -- after Norwegian telecommunications company Telenor reported experiencing a network breach on March 17, 2013. "We arrived at the conclusion that Telenor was not an isolated case, but part of a much larger attack pattern emanating from India," said Fagerland in a related blog post. "This conclusion is backed up by indicators found in malware, similar related cases, domain registrations, hosting details and other available data from our own extensive dataset as well as public data."

The APT attackers chiefly employed spear-phishing emails to compromise targets. Some emails tried to trick recipients into opening attached, malicious documents that attempted to exploit known vulnerabilities. Other emails included a link to a website designed to launch a phishing attack. According to Norman, no watering hole attacks have been seen.

The APT campaign is sizeable: more than 600 domains have been spotted and over 800 samples of malware -- some customized for specific targets -- recovered. "As far as I know, this is one of the largest command and control infrastructures I've seen by any APT group, certainly outside of China," said Fagerland. Norman's report said all signs point to the campaign being "conducted by private threat actors with no evidence of state sponsorship."

Malware developers used relatively simple development tools and techniques, and outsourced some work to freelancers, for example via the Elance virtual marketplace. "I like the use of Elance for tool development. Way to keep those costs down," the Bangkok-based vulnerability buyer and seller known as "the Grugq" said via Twitter.

Furthermore, "the attackers were not very good at covering their tracks," said Fagerland. "We found for example several open drop folders where they had uploaded stolen data." Attackers often left their project management notes behind too. "Curiously, many of the executables we uncovered from related cases contained cleartext project and debug path strings," according to the report. "It is not very common to find malware with debug paths, but these particular threat actors did not seem to mind leaving such telltale signs, or maybe they were unaware of their presence." Language used in the project notes further suggests that at least some of the project team was Indian.

Fagerland said that a report published last week by ESET malware researcher Jean-Ian Boutin, describing an APT campaign that appeared to be targeting Pakistan, was part of the APT campaign analyzed in Norman's report. ESET likewise ascribed the attack to India based on numerous fronts, including the hours worked by attackers and reference to "Ramu Kaka," which "is a typical Bollywood-style servant in a house," according to Boutin. "Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit."

Norman's researchers found that the command-and-control infrastructure used by the APT attackers was used to target the Chicago Mercantile Exchange, which publicly reported that a failed phishing attempt had been launched against it. The malicious infrastructure was also used to infect an Angolan activist's OS X systems with a Trojan backdoor, which wasn't discovered until the activist attended last week's Oslo Freedom Forum, according to a blog post from Sean Sullivan, security advisor at F-Secure Labs, which is analyzing the malware. Sullivan said the malware was signed with a legitimate Apple developer ID in the name of "Rajinder Kumar."

What can be deduced from the finding that the same attack infrastructure used against Pakistan government targets was also used to infect an Angolan activist's Mac with a backdoor Trojan? "That's an interesting side branch of this operation," said Fagerland. It suggests the botnet's controllers "could be hiring out the infrastructure to other attackers," or offering targeted attacks as a service.

Norman shared its findings with Norwegian law enforcement agencies in advance of releasing its report. Although the timing may be coincidental, attackers' behavior has since changed. "We have reason to believe that at least some information from this report was known to some people in India some time ago, and since then, some things have changed," said Fagerland. "Whole branches of this command and control infrastructure have gone silent."

But he said that the timing could just be a coincidence.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.