Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

India-Linked Hackers Targeting Pakistani Government, Law Enforcement

The India-linked threat actor SloppyLemming has been targeting government, law enforcement, and other entities in Pakistan.

A threat actor likely operating out of India is relying on various cloud services to conduct cyberattacks against energy, defense, government, telecommunication, and technology entities in Pakistan, Cloudflare reports.

Tracked as SloppyLemming, the group’s operations align with Outrider Tiger, a threat actor that CrowdStrike previously linked to India, and which is known for the use of adversary emulation frameworks such as Sliver and Cobalt Strike in its attacks.

Since 2022, the hacking group has been observed relying on Cloudflare Workers in espionage campaigns targeting Pakistan and other South and East Asian countries, including Bangladesh, China, Nepal, and Sri Lanka. Cloudflare has identified and mitigated 13 Workers associated with the threat actor.

“Outside of Pakistan, SloppyLemming’s credential harvesting has focused primarily on Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities,” Cloudflare reports.

The threat actor, Cloudflare says, appears particularly interested in compromising Pakistani police departments and other law enforcement organizations, and likely targeting entities associated with Pakistan’s sole nuclear power facility.

“SloppyLemming extensively uses credential harvesting as a means to gain access to targeted email accounts within organizations that provide intelligence value to the actor,” Cloudflare notes.

Using phishing emails, the threat actor delivers malicious links to its intended victims, relies on a custom tool named CloudPhish to create a malicious Cloudflare Worker for credential harvesting and exfiltration, and uses scripts to collect emails of interest from the victims’ accounts.

In some attacks, SloppyLemming would also attempt to collect Google OAuth tokens, which are delivered to the actor over Discord. Malicious PDF files and Cloudflare Workers were seen being used as part of the attack chain.

Advertisement. Scroll to continue reading.

In July 2024, the threat actor was seen redirecting users to a file hosted on Dropbox, which attempts to exploit a WinRAR vulnerability tracked as CVE-2023-38831 to load a downloader that fetches from Dropbox a remote access trojan (RAT) designed to communicate with several Cloudflare Workers.

SloppyLemming was also observed delivering spear-phishing emails as part of an attack chain that relies on code hosted in an attacker-controlled GitHub repository to check when the victim has accessed the phishing link. Malware delivered as part of these attacks communicates with a Cloudflare Worker that relays requests to the attackers’ command-and-control (C&C) server.

Cloudflare has identified tens of C&C domains used by the threat actor and analysis of their recent traffic has revealed SloppyLemming’s possible intentions to expand operations to Australia or other countries.

Related: Indian APT Targeting Mediterranean Ports and Maritime Facilities

Related: Pakistani Threat Actors Caught Targeting Indian Gov Entities

Related: Cyberattack on Top Indian Hospital Highlights Security Risk

Related: India Bans 47 More Chinese Mobile Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.