The security firm Symantec has discovered another cyber espionage campaign against India and Pakistan which is likely to be state-sponsored.

Security experts at Symantec have uncovered a sustained cyber spying campaign against Indian and Pakistani entities involved in regional security issues.

The nature of the targets and the threat actors’ techniques suggest it is a state-sponsored campaign likely powered by several groups of hackers.

“The campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state, according to the threat report, which was reviewed by Reuters. It did not name a state.” reported the Reuters.

According to a threat intelligence report, Symantec sent to clients in July, the cyber espionage campaign dated back to October 2016.

The experts speculate the involvement of several groups that shared TTPs operating with “similar goals or under the same sponsor.”

The cyber espionage campaign was uncovered while tensions in the region are raising.

India’s military is intensifying operational readiness along the border with China following a face-off in Bhutan near their disputed frontier, at the same time tensions are rising between India and Pakistan over the disputed Kashmir region.

The threat actors appear focused on governments and militaries with operations in South Asia and interests in regional security issues. Attackers leverage the “Ehdoor” backdoor to gain control over infected machines.

Backdoor.Ehdoor is a Trojan horse first spotted in September 2016, it was initially used to target government, military and military-affiliated entities in the Middle East and elsewhere.

The Ehdoor backdoor opens a back door, steals information, and downloads potentially malicious files onto the compromised computer.

“There was a similar campaign that targeted Qatar using programs called Spynote and Revokery,” said a security expert, who requested anonymity. “They were backdoors just like Ehdoor, which is a targeted effort for South Asia.”

According to the Symantec report, attackers used decoy documents related to security issues in South Asia in to deliver the malware. The attackers was also being used to target Android devices.

“The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.” states the Reuters.

“The malware allows spies to upload and download files, carry out processes, log keystrokes, identify the target’s location, steal personal data, and take screenshots, Symantec said, adding that the malware was also being used to target Android devices.”

Gulshan Rai, the director general of CERT-In, hasn’t commented the cyber espionage campaign, but he said: “We took prompt action when we discovered a backdoor last October after a group in Singapore alerted us.”

According to malware researchers at Symantec, the backdoor was continuously improved over the time to implement “additional capabilities” for spying operations.

“A senior official with Pakistan’s Federal Investigation Agency said it had not received any reports of malware incidents from government information technology departments. He asked not to be named due to the sensitivity of the matter.” continues the Reuters.

“A spokesman for FireEye, another cybersecurity company, said that based on an initial review of the malware, it had concluded that an internet protocol address in Pakistan had submitted the malware to a testing service. The spokesman requested anonymity, citing company policy.”

Pierluigi Paganini

(Security Affairs – backdoor, India)

Share this...

Linkedin Reddit Pinterest

Share On