Pakistani bodies, including government organisations, are the main target, but UK, US and Chinese groups also targeted
Investigations into the attack infrastructure were kicked off following a compromise of Norwegian telecoms giant Telenor in March. The campaign has been ongoing for over three years, and the targets appear to be global and diverse in nature.
Attackers used known vulnerabilities in Microsoft software, chucking malware dubbed HangOver onto target machines, most of which were based in Pakistan, where 511 infections associated with the campaign were detected. HangOver installs keyloggers, takes screenshots and records victims’ browser usage, before sending the pilfered data off to remote servers by FTP or HTTP.
Norman Shark, the Norwegian security company that researched the operation, said it appeared the London-based Eurasian Natural Resources Corporation (ENRC) was a likely target. ENRC had not responded to a request for comment at the time of publication.
In the attacks on Pakistani organisations, spear phishing emails were sent out purporting to contain information on “ongoing conflicts in the region, regional culture and religious matters”, according to Norman.
Norman could not provide direct attribution to the attacks, but its report did note the following: “The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin.”
Snorre Fagerland, principal security researcher in the Malware Detection Team at Norman, told TechWeekEurope it appeared Pakistani government bodies had been attacked.
“We know pretty well at least one computer in a government body was infected with uploader malware for at least a few hours in 2012,” Fagerland told TechWeek. “We also have indications an embassy belonging to Pakistan has been connecting to the same infrastructure.”
There was another association with India in the repeated appearance of the word “Appin”. “There seems to be some connection with the Indian security company called Appin Security Group,” Norman wrote.
“By this, we are not implicating or suggesting inappropriate activity by Appin. Maybe someone has tried to hurt Appin by falsifying evidence to implicate them. Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations. Getting to the bottom of that is beyond our visibility.
“The strings ‘Appin’, ‘AppinSecurityGroup’, and ‘Matrix’ are frequently found inside executables.”
Domains used by the attack infrastructure also used the name Appin. Again, this does not prove any involvement from Appin.
“Another example is the domain zerodayexploits.org. This domain has a history of resolving to a series of malicious IP addresses used for malware attacks (220.127.116.11, 18.104.22.168). This website which offers bounties for zero-day exploits, claims to be founded by ‘Appin Morpheus’ and powered by Appin,” the Norman report read.
Appin describes itself as the world’s fourth largest critical infrastructure security provider. It had not responded to requests for comment at the time of publication.
Another firm, Mantra Tech Ventures, was also alleged to be hosting a number of malicious sites run by the attackers, Norman said, although that may well have been a coincidence. Mantra had also not responded to a request for comment at the time of publication.
Activists were also targeted. The Khalistan movement, a secessionist group hoping to create a separate Sikh nation in the Punjab region, and the Nagaland movement, another group hoping for a sovereign homeland covering parts of India and Burma, were attacked.
A follow-up blog post from Norman said malware that targeted an Angolan activist, uncovered last week, was using the Indian infrastructure. And the restaurant industry was also a big attraction for the hackers.
The wide array of targets could mean the attackers are renting our their infrastructure. “It could mean they are doing things on contract,” Fagerland added.
Norman’s research expands on findings from ESET last week, which pointed to various attacks emanating from India on Pakistani groups.
UPDATE: Appin contacted TechWeekEurope to distance itself from any suggestion it was involved in the attacks. As our report noted, there was never any accusation Appin had done anything, only that their name had been mentioned in the attackers’ code.
The company sent an opinion letter from security expert Professor Solange Ghernaouti, in which she said there was no proof Appin was connected to the attacks, as this report had also noted.
“The chain of reasoning can appear attractive, but is subject by its very nature (dynamic addresses, obfuscated code, hidden and mobile website registrations) to a degree of uncertainty and multiple interpretations,” she said. “In any case, it does not constitute solid evidence or prove anything.”
Appin has now asked Norman to issue a retraction. “I cannot comment on Appin’s questions or statements on the report and all I can say is that I stand behind the results that are in the report that are on the website,” Fagerland added.
What do you know about Internet security? Find out with our quiz!
Originally published on eWeek.