A cyber espionage campaign against India and Pakistan has been recently found by the security firm Symantec. Considering the attackers’ methods and the nature of targets, the researchers think that the campaign is powered by several groups of hackers and most probably it’s state-sponsored.
“The campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state, according to the threat report, which was reviewed by Reuters. It did not name a state.” the Reuters reported.
The threat intelligence report which Symantec sent to clients in July, states that the cyber espionage campaign dated back to October, last year.
According to security experts, there are a few groups of cyber criminals that shared TTPs operating with “similar goals or under the same sponsor.”
The cyber espionage campaign was uncovered while tensions in the region are raising.
The military of India is intensifying operational readiness along the border with China following a face-off in Bhutan near their disputed frontier, while at the same time tensions are rising between India and Pakistan over the disputed region of Kashmir.
The cyber criminals seem to be focused on governments and militaries with operations in South Asia and interests in regional security issues. In order to take control over the infected machines, the hackers leverage the “Ehdoor” backdoor.
The Backdoor.Ehdoor trojan was first noticed in September, last year. The trojan was initially used to target government, military and military-affiliated entities in the Middle East and in some other countries.
What the Ehdoor backdoor does, is opening a back door, stealing information, and downloading potentially malicious files onto the compromised PC.
“There was a similar campaign that targeted Qatar using programs called Spynote and Revokery,” a security expert said. “They were backdoors just like Ehdoor, which is a targeted effort for South Asia.”
The Symantec threat intelligence report reads that hackers used decoy documents related to security issues in South Asia to deliver the malware. Also, the hackers used to target Android devices.
“The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.” the Reuters stated.
“The malware allows spies to upload and download files, carry out processes, log keystrokes, identify the target’s location, steal personal data, and take screenshots, Symantec said, adding that the malware was also being used to target Android devices.”
The Symantec malware experts said that the backdoor was continuously improved over the time to implement “additional capabilities” for spying operations.
“A senior official with Pakistan’s Federal Investigation Agency said it had not received any reports of malware incidents from government information technology departments. He asked not to be named due to the sensitivity of the matter.” the Reuters added.