Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Attackers Target Indian Military in Data-Theft Campaign

A group of attackers believed to be from Pakistan has been targeting Indian military personnel in a data theft campaign involving social engineering and unsophisticated malware.

A group of attackers believed to be from Pakistan has been targeting Indian military personnel in a data theft campaign involving social engineering and unsophisticated malware.

The operation, dubbed “C-Major,” was uncovered by Trend Micro researchers while observing other targeted attacks. Experts discovered that the attackers managed to steal information from at least 160 military officers, attachés, consultants and resellers from India, including copies of passports and photo IDs, financial information, strategy and tactical documents, and personal photographs.

According to the security firm, the attacks started with a bogus email sent to the targeted individual. The emails purport to come from organizations such as India’s Ministry of Defense and they’re designed to trick recipients into opening an attached file that looks like a harmless document.

Once the document is opened, an Adobe Reader vulnerability is exploited and a Trojan is dropped onto the victim’s system. The said piece of malware allows attackers to log keystrokes, steal passwords, record audio, steal files and capture screenshots.

Researchers determined that the attackers are not very sophisticated because the malware is compiled into a Microsoft Intermediate Language (MSIL) binary using Visual Studio, which allows for the Trojan to be easily decompiled.

The malware’s source code contained information on its command and control (C&C) servers, which, as Trend Micro discovered, had open directories where more than 16Gb of stolen information was stored.

One of the C&C servers, whose address had been hardcoded in the malware, was located in Pakistan, and used for both Windows and mobile versions of the threat. The same server is believed to have been used in an espionage operation aimed at the Android devices of Indian military personnel.

The fact that the server is located in Pakistan has led researchers to believe that at least some members of the hacker group are from this country, but Trend Micro says it hasn’t found any evidence that the data-theft campaign is sponsored by a nation state.

Advertisement. Scroll to continue reading.

Another piece of evidence that has led experts to believe that the attackers are based in Pakistan is that the malware samples used by the group have been uploaded to VirusTotal and scanned multiple times from a user ID tied to Pakistan.

This campaign shows that even less sophisticated attackers can carry out successful operations, experts said.

“For those in charge of defending a corporate or organization network, this attack reinforces the fact that any user, regardless of rank or position, is susceptible in becoming the organization’s weakest security link,” Trend Micro said in a report detailing Operation C-Major. “As such, while network defenders should be prepared to help prevent, or minimize the damage of attacks, people who use the said network should likewise be knowledgeable of threats that could possibly come. The need for proper user awareness training is clear.”

Related: Cybercriminals Target Bank Accounts of Firms in UK, US, India

Related: LeChiffre Ransomware Hits Indian Banks, Pharma Company

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights