Security researchers in Norway believe a sophisticated malware attack designed to steal information from a range of government and private enterprise agencies in Pakistan, China and elsewhere was launched from India. Norman AS conducted an investigation into an attack on Norwegian telecom operator Telenor and discovered evidence that hackers had been lifting info from businesses, political organisations and governments for as long as three years.
Norman’s Operation HangOver report on the attacks says that the detected malware was “predominantly to be a platform for surveillance against targets of national security interests” as well as corporate espionage. However, there was found to be no direct link to this being a state-sponsored attack.
Did malware attacking Pakistani systems originate from India? (Image credit: Getty Images)
Attackers reportedly used spear phishing techniques and exploited known Windows vulnerabilities to drop the HangOver malware on to the target machines. A little digging helped researchers discover that some of the malware had been digitally signed using a certificate which had been revoked two years ago.
Another security firm, Eset, believes, however, that the attacks are far from the work of a powerful agency who would have covered their tracks better. "String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks," Eset said in a blog post.
The researchers at Norman explained that even though the company only had direct knowledge of the attack against Telenor, they were able to obtain “malware samples and decoy documents that have provided indications as to whom else would be in the target groups.” Norman’s research revealed that most of the IP addresses targetted by the malware’s creator originated in Pakistan, while systems in China, Russia and USA also figured prominently in the list of targets. Aside from Telenor, the report listed targets such as Eurasian Natural Resources Corporation (ENRC), Bumi, Porsche Informatik, and Chicago Mercantile Exchange. “The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin,” the report said.
Interestingly, the report’s analysis of the attacks revealed that there are many diverging project paths, which strongly suggests that different persons worked on separate projects. There is an indication that the projects were delegated into tasks, with some tasks following a monthly cycle.