Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/18/2014
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Pakistan The Latest Cyberspying Nation

A look at Operation Arachnophobia, a suspected cyber espionage campaign against India.

A recently unearthed targeted attack campaign suggests that Pakistan is evolving from hacktivism to cyber espionage.

Operation Arachnophobia, a campaign that appears to have begun in early 2013, has all the earmarks of classic advanced persistent threat/cyber espionage activity but with a few twists of its own -- including the possible involvement of a Pakistani security firm.

Researchers from FireEye and ThreatConnect recently teamed up in their investigation of the attacks, which feature a custom malware family dubbed Bitterbug that serves as the backdoor for siphoning stolen information. Though the researchers say they have not identified the specific victim organizations, they have spotted malware bundled with decoy documents related to Indian issues.

The Bitterbug malware is geared for cyber espionage purposes and was hidden behind pilfered US infrastructure as a way to hide its origins. Specifically, the attacks employ infrastructure from a US virtual private server. The Pakistani hosting provider appears to have leased its command and control infrastructure from a US VPS provider. "It's where the malware is hosted and used for command and control," says Rich Barger, chief intelligence officer at ThreatConnect. The goal was to make the attacks appear to come from the US.

Operation Arachnophobia may well be Pakistan's answer to cyber espionage campaigns against its nation that appear to have come from India. "It was engineered to collect standard Office documents on your desktop," Barger says. "It was very close to Operation Hangover activity… for which India was purportedly responsible."

Cyber espionage appears to be on the upswing in the region. Iran recently moved from a defacement-happy operation in the name of political hacktivism to cyberspying campaigns such as the so-called Operation Saffron Rose targeting US defense contractors and Iranian dissidents.

"We know about Russia and China… India and Pakistan has room to grow and mature," Barger says.

Operation Arachnophobia was named after the Pakistani security firm Tranchulas, whose name appeared in some of the malware samples studied by FireEye researchers. "The 'Tranchulas' name was in a string" of the malware, says Mike Oppenheim, principal threat intelligence analyst at FireEye. Tranchulas was supposedly a security company that does penetration testing. The researchers say it supports "national level cyber security programs" and the development of "offensive and defensive cyber capabilities."

The researchers found major discrepancies in emails between them and Tranchulas and the Pakistani hosting provider, which led them to dig further. That's where they discovered the hosting provider had been subleasing insfrastructure from US providers, and both Tranchulas and the Pakistani hosting provider have employed or have connections with people with "cyber offensive expertise."

According to the researchers, since they published a whitepaper on their findings this month, the operation appears to have come to standstill for now.

The full report is available here (registration required).

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/1/2014 | 3:58:08 AM
Re: Hyper-rivalries breed cyber snooping
I totally agree. 

you wrote " It's important that international laws are to be made same for all"

that's correct but it's an ambitious goal difficult to reach

Regards

Pierluigi
nomii
50%
50%
nomii,
User Rank: Apprentice
8/30/2014 | 1:53:28 AM
Re: Hyper-rivalries breed cyber snooping
@Securityaffairs I agree with you. As i belong to the region, its a a basic fact that the expertise level at both sides are very high. They are very regularly being used against each other as it is known that both these countries remain in a war like situation on  all fronts even their military is having very cordial relations with each other.

I think the cyberspying is very relevant term and I feels that its right of weaks to do if Giants are doing it openly under security cover. Its important that international laws are to be made same for all but I feel that its implementation is not as it should be especially for the favoured ones. I need not to mention them openly.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/20/2014 | 5:48:03 PM
Re: Hyper-rivalries breed cyber snooping
I'm not surprised too. Pakistan has also great cyber capabilities and I believe that its Government is involved in the attacks mentioned that are in response to the Indian cyber espionage campaigns uncovered in the past.

Regards

Pierluigi
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/19/2014 | 8:35:23 AM
Re: Hyper-rivalries breed cyber snooping
I suppose it's turnabout, with India doing the same to Pakistan. Traditional spying alone isn't enough anymore.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
8/18/2014 | 11:40:15 PM
Hyper-rivalries breed cyber snooping
Pakistan has a nuclear arsenal and was willing to export the expertise. I'm not too surprised that it's willing to engage in cyber snooping. Countries that are in a high state of rivalry with a neighbor, such as Pakistan and India, will behave more defensive-aggressively.
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9308
PUBLISHED: 2020-02-20
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVE-2019-20479
PUBLISHED: 2020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...