Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Pakistani Hacking Team 'Celestial Force' Spies on Indian Gov't, Defense

Against a backdrop of political conflict, a years-long cyber-espionage campaign in South Asia is coming to light.

4 Min Read
Soldiers from India and Pakistan saluting
Source: Frank Nowikowski via Alamy Stock Photo

A Pakistani threat actor has been spying on Indian government-associated entities for at least six years now.

A new report from Cisco Talos has collated years of cyber espionage by a group it calls "Cosmic Leopard," under the umbrella title "Operation Celestial Force." The Pakistan-based Cosmic Leopard overlaps with but as yet remains distinct from the threat actor known as Transparent Tribe. Cosmic Leopard's attacks focus on espionage and surveillance against individuals and organizations associated with India's government and defense sectors, as well as related technology companies.

"What we're seeing is constant, persistent efforts to infect targets of interest, and establish long-term access," says Asheer Malhotra, Cisco outreach researcher. "I'm pretty sure that the threat actors themselves don't know specifically what they're looking for. The intention here is to get as much data as they can, so that they can analyze it and then figure it out at a later stage."

Operation Celestial Force

Signs of Cosmic Leopard activity date back to 2016, when it created a Windows version of its GravityRAT Trojan.

Since then, Malhotra says, "We've seen a constant evolution in everything they do, basically."

In 2019, for example, the group developed its HeavyLift malware loader, and Android versions of GravityRAT for targeting mobile devices. MacOS, too. "We've also seen a constant evolution in the TTPs [tactics, techniques, and procedures] used by the threat actor. They used to send out phishing messages; now they establish conversations with victims over social media channels. At the same time, they're setting up new infrastructure which they can use to outrun detection," he explains.

In all, a current Celestial Force attack will look something like this:

First, a spear-phishing email or social media message arrives, containing a malicious document or, more often, a link. The link will seem like a website for downloading a legitimate Android application that, in fact, masks GravityRAT or HeavyLift.

GravityRAT is a fairly standard but powerful mobile Trojan. It can read and delete SMS messages, call logs, and files as well as other device information — about the SIM card, phone number, IMEI, manufacturer, network operator, location, and more.

HeavyLift is an executable masked as a legitimate installer. Typically, it installs both a harmless decoy application and a malicious one on the device. The malicious component can gather and exfiltrate a variety of system data, download further payloads, and check if it's running in a virtual machine.

It doesn't have to do any of that, however, to be effective.

"HeavyLift has a component that can download and run additional malware on the victim system, but it also gives the victim the ability to upload data to the threat actors' cloud," Malhotra explains. In some scenarios, the threat actor simply tells a target over social media about their cloud storage application. "The threat actor is being upfront about it. They say this is a cloud storage application, you can store all of your data in it. And once the target starts uploading all of their data, they have access to it, so they don't need to go in and steal from them."

It works so well, says Cisco lead security researcher Vltor Ventura, because "If you go to the site, if you go through the UI, it's really, really well done. Even while we were investigating the malware, it seemed almost like a legitimate application. It started a discussion between us — like, OK, is this really malicious or not?"

Preventing Infections

Luckily, steering clear of these attacks on mobile devices is simple: only download software from authorized app stores (for Android, that's Google Play). "Unless the attacker uses a zero-day, or n-day if the system is not updated, that's pretty much the only way they can get into the Android ecosystem," Ventura notes.

Windows computers lack this simple fix, but they have an advantage all their own.

"When you think about Android, organizations don't have that much visibility to what's going on these devices. It's a harder environment for organizations to control. With laptops, there is better visibility," Ventura explains.

With that extra visibility, organizations can apply layered security to prevent one employee's wayward click from becoming an organizationwide issue.

"When people get a link or when they get a file, they want to see what's inside," he says. Rather than denying reality, "we need to go to the next level, and prevent that [decision] from becoming something much worse."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights