Seqrite, a cybersecurity consultant and the enterprise arm of Quick Heal Technologies, said a suspected Pakistani group has started a wave of sophisticated phishing attacks targeting India’s cricial infrastructure such as power and telecom.
According to the IT security consultant, the initial intrusion chain begins with a spear-phishing email — an email that is designed to get the user to install a virus, trojan or other malware.
Often, the emails pretend to be from government agencies, and also come attached with a fake document — such as an IT return — and urges the user to download and open it.
The firm found that the hackers would create fake websites that people working in the targeted organization would generally access.
“The email content attempts to lure the user into extracting the attached zip archive. Upon extraction, the user would see a document file which is in fact an extension spoofed LNK file which is usually seen as shortcuts,” the company said.
“If the user opens the document, the LNK payload gets launched and initiates the malicious activities in the background. To ensure the user is not suspicious, a decoy document is presented to him/her,” it said. LNK is a widely deployed Windows link format that is typically used as a shortcut to launch programs or executables.
“Once the LNK file is launched, it downloads the HTA payload from a compromised domain and executes it via mshta.exe. This HTA file is responsible for showing the decoy document to the user. In addition, it drops an executable of LimShell on disc and executes it.”
Seqrite said most of the backdoors used in this campaign are variants of NJRat, a remote access tool (RAT) or trojan which allows the holder of the program to control the end-user’s computer.
It was first found in June 2013 with some variants traced to November 2012 and was made by a hacking organization from different countries called Sparclyheason and used against targets in the Middle East.
“However, in one specific case, we came across a new payload written in C# which installs an implant that helps the attacker examine the target and install other backdoors,” Seqrite noted.
Seqrite believes that the attacks are part of a ‘cyber spying’ campaign by a “Pakistan-backed” hacker group called Transparent Tribe, and can be seen as a new wave of last year’s ‘Operation SideCopy’ which targeted India’s defence installations.
CRITICAL INFRASTRUCTURE TARGETED
According to Seqrite, the attacks have broadened this year from targeting only defence installatinos to all of India’s critical infrastructure — such as telecom, power and finance.
Access to infrastructure networks can be used in a variety of ways. It can be used to simply leak information, but more potently, can be used to bring the country to its knees any time the hacker group feels like it.
For example, the entire telecommunication and internet network can be disrupted or even brought down, power supply can be shut down and the banking system can be plunged into turmoil by erasing or blocking access to critical servers and data.
Seqrite said it suspects “this attack to be a cyber-espionage campaign aimed at collecting sensitive information to gain a competitive advantage against India.
“The evidence gathered by Seqrite suggests a highly organized operation designed to evade most security mechanisms. As part of the campaign, attackers are sending out phishing emails with governmentthemed documents in an attempt to lure targets into opening the attachments,” it added.
The firm said this year’s attacks are more sophisticated than those of last year. The hackers have “enhanced the attack tools and methods, as compared to last year, to make detection difficult.
“The final payload can capture sensitive information including screenshots, keystrokes, & files from the affected system. In addition, it can also execute commands specified as part of instructions from C2 [command and control] servers.
“This shows that this attack group is well funded and is actively improving its attack mechanisms to infiltrate the target entities. The group can potentially steal critical intel from the government agencies and their subsequent bodies. They can even use that information to make more lures and target other Government departments,” it said.
PAKISTANI LINK
The cybersecurity consultant found that the command and control servers were from Pakistan.
“Upon thorough analysis of the attack chain, the command-and-control (C2) server communication, and the available telemetry data, researchers at Seqrite could identify some compromised websites that are being used to host the attack scripts and act as C2 servers.
“Further analysis of data accessible from some C2 servers led researchers at Seqrite to an IP address that was commonly found across different C2 servers. In fact, this IP address turned out to be the first entry in many logs, which indicated that the corresponding system is likely being used for testing the attack before launch.
Further investigation of that IP, it said, revealed that the provider of that IP address is Pakistan Telecommunication Company Limited.
“This revelation further strengthens the claim that Operation SideCopy which is operated by the Transparent Tribe group is originating in Pakistan. The report further revealed the list of targets that were identified through the analyzed C2s. These targets include Critical Infrastructure PSUs from telecom, power, and finance sectors.
“This is likely only a subset of targets since there are several other C2s being used in Operation SideCopy APT,
which are probably targeting other entities,” it noted.
Seqrite alerted the Government authorities and are working with them to keep potential targets safe.