Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

APT Attacks Trace To India, Researcher Says

Multi-year hacking campaign targeted mining companies, legal firms, Pakistan, Angolan dissidents and others in Pakistan, the U.S., Iran, China and Germany.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany.

Those findings come from "Unveiling an Indian Cyberattack Infrastructure," a new report from Norwegian security software vendor Norman that documents an APT campaign that began in 2010, if not earlier. According to the report, the APT campaign and related, malicious infrastructure has served "primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States."

Report co-author Snorre Fagerland, a principal security researcher in the Malware Detection Team at Norman Shark in Norway, said in an interview: "What we found surprised us a little bit, because we started out anticipating the Chinese, but the indicators we found pointed toward India."

[ Would better passwords have made a difference? Read How Password Strength Meters Can Improve Security. ]

Researchers also found multiple references to Appin, an Indian information security software vendor and "ethical hacking" training company. References included "appin" and "appinbot" in "cleartext project and debug path strings," according to Norman's report, and some domains used in the APT attacks appeared to have been registered with a corporate Appin email address before being hidden.

Norman's report said the Appin name-dropping is no smoking gun. "Maybe someone has tried to hurt Appin by falsifying evidence to implicate them," said the report. "Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations." But Adam Meyers, director of intelligence at CrowdStrike, told DarkReading: "I think it is highly unlikely Appin is not involved."

Contacted for comment, a spokesman for Appin in New Delhi strongly dismissed any suggestion that his company was connected with the APT campaign. "The Appin Security Group is no manner connected or involved with the activities as sought to be implied in the alleged report," he said in an emailed statement. "The reference to Appin Security Group in the report is malafide and made purely with an intention to slur the good name of Appin Security Group in the industry."

This isn't Norman's first foray into malware research. In Nov. 2012, the company discovered an unrelated, botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine.

Norman undertook a similar investigation -- on its own initiative -- after Norwegian telecommunications company Telenor reported experiencing a network breach on March 17, 2013. "We arrived at the conclusion that Telenor was not an isolated case, but part of a much larger attack pattern emanating from India," said Fagerland in a related blog post. "This conclusion is backed up by indicators found in malware, similar related cases, domain registrations, hosting details and other available data from our own extensive dataset as well as public data."

The APT attackers chiefly employed spear-phishing emails to compromise targets. Some emails tried to trick recipients into opening attached, malicious documents that attempted to exploit known vulnerabilities. Other emails included a link to a website designed to launch a phishing attack. According to Norman, no watering hole attacks have been seen.

The APT campaign is sizeable: more than 600 domains have been spotted and over 800 samples of malware -- some customized for specific targets -- recovered. "As far as I know, this is one of the largest command and control infrastructures I've seen by any APT group, certainly outside of China," said Fagerland. Norman's report said all signs point to the campaign being "conducted by private threat actors with no evidence of state sponsorship."

Malware developers used relatively simple development tools and techniques, and outsourced some work to freelancers, for example via the Elance virtual marketplace. "I like the use of Elance for tool development. Way to keep those costs down," the Bangkok-based vulnerability buyer and seller known as "the Grugq" said via Twitter.

Furthermore, "the attackers were not very good at covering their tracks," said Fagerland. "We found for example several open drop folders where they had uploaded stolen data." Attackers often left their project management notes behind too. "Curiously, many of the executables we uncovered from related cases contained cleartext project and debug path strings," according to the report. "It is not very common to find malware with debug paths, but these particular threat actors did not seem to mind leaving such telltale signs, or maybe they were unaware of their presence." Language used in the project notes further suggests that at least some of the project team was Indian.

Fagerland said that a report published last week by ESET malware researcher Jean-Ian Boutin, describing an APT campaign that appeared to be targeting Pakistan, was part of the APT campaign analyzed in Norman's report. ESET likewise ascribed the attack to India based on numerous fronts, including the hours worked by attackers and reference to "Ramu Kaka," which "is a typical Bollywood-style servant in a house," according to Boutin. "Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit."

Norman's researchers found that the command-and-control infrastructure used by the APT attackers was used to target the Chicago Mercantile Exchange, which publicly reported that a failed phishing attempt had been launched against it. The malicious infrastructure was also used to infect an Angolan activist's OS X systems with a Trojan backdoor, which wasn't discovered until the activist attended last week's Oslo Freedom Forum, according to a blog post from Sean Sullivan, security advisor at F-Secure Labs, which is analyzing the malware. Sullivan said the malware was signed with a legitimate Apple developer ID in the name of "Rajinder Kumar."

What can be deduced from the finding that the same attack infrastructure used against Pakistan government targets was also used to infect an Angolan activist's Mac with a backdoor Trojan? "That's an interesting side branch of this operation," said Fagerland. It suggests the botnet's controllers "could be hiring out the infrastructure to other attackers," or offering targeted attacks as a service.

Norman shared its findings with Norwegian law enforcement agencies in advance of releasing its report. Although the timing may be coincidental, attackers' behavior has since changed. "We have reason to believe that at least some information from this report was known to some people in India some time ago, and since then, some things have changed," said Fagerland. "Whole branches of this command and control infrastructure have gone silent."

But he said that the timing could just be a coincidence.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.