A FireEye research report has revealed that a specialized malware was
used to target Indian government and military personnel in order to collect
intelligence
FireEye
revealed a cyber threat operation in which malware was used against targets in
India and Pakistan since at least 2013. The threat group behind the operation
likely reached its targets by sending spear phishing emails with malware
attachments.
The lures used in the email were related to regional military and
defense issues, often involving India-Pakistan relations and current events.
Based
on the themes used in the emails and decoy documents, it is likely the threat
actor intended to target Indian government and military personnel, as well as
political dissidents in Pakistan, in order to collect intelligence. “The
line between real world conflict and cyber conflict continues to blur. Wherever
you see geopolitical tensions you are likely to find cyber campaigns beneath
the surface,” said Bryce Boland, FireEye chief technology officer for Asia
Pacific. “We help organizations use threat intelligence to improve their
defences against advanced attacks, because this forces threat actors to
reinvest in new tools. When they pause to retool, it disrupts their
operations.”
FireEye
believes the group has a collaborative malware development environment and
employs focused targeting. It appears to have operated consistently since 2013.
The
threat actor’s malware has two primary components. SEEDOOR is often initially
delivered to a target system by a downloader. SEEDOOR then creates a backdoor
to the victim’s system. SEEDOOR’s built-in functionality includes interacting
with the file system, simulating mouse clicks, starting and terminating
processes, transferring files, making recordings and screenshots of the
desktop, recording sound from a microphone, recording and taking snapshots from
webcams, and in some cases collecting Microsoft Outlook emails and attachments.
The
threat actor used a variety of lures focused on defense and military topics, as
well as issues pertinent to India-Pakistan relations, including regional areas
of conflict such as Afghanistan or, separately, Balochistan (a Pakistani
province). In multiple instances, the threat actor named the malware
attachments the title of news articles from popular Pakistan news sites,
including Dawn and the Express Tribune. In multiple cases, the threat actor
quickly used the latest news events as themes for lures. The actor also used
images of women, including several associated with India or Pakistan.
The significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.
The significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.
Lure Themes
Terror attacks: Following a terrorist attack in Pakistan on Dec. 29, 2015, the threat actor created a malware variant and titled it to appear as if it was a YouTube video about the attack. The threat actor also capitalized quickly on an attack at an Indian Air Force base in early 2016 as a theme for lure documents.
Terror attacks: Following a terrorist attack in Pakistan on Dec. 29, 2015, the threat actor created a malware variant and titled it to appear as if it was a YouTube video about the attack. The threat actor also capitalized quickly on an attack at an Indian Air Force base in early 2016 as a theme for lure documents.
Defense and Military: The threat actor used a variety of military
and defense themes in its decoy documents, including topics related to military
training and lifestyle. Multiple lures included specific references to Indian
defense or military entities. One decoy document appeared to have classified
portion markings and contained information regarding the Indian Ministry of
Defence and military research and modernization.
Afghanistan: FireEye observed the threat actor use lures related to the conflict in
Afghanistan and relevant peace negotiations, and Afghan diplomatic and
government officials.
A
FireEye research report has revealed that a specialized malware was
used to target Indian government and military personnel in order to
collect intelligence
FireEye revealed a cyber threat operation in which malware was used against targets in India and Pakistan since at least 2013. The threat group behind the operation likely reached its targets by sending spear phishing emails with malware attachments. The lures used in the email were related to regional military and defense issues, often involving India-Pakistan relations and current events.
Based on the themes used in the emails and decoy documents, it is likely the threat actor intended to target Indian government and military personnel, as well as political dissidents in Pakistan, in order to collect intelligence. “The line between real world conflict and cyber conflict continues to blur. Wherever you see geopolitical tensions you are likely to find cyber campaigns beneath the surface,” said Bryce Boland, FireEye chief technology officer for Asia Pacific. “We help organizations use threat intelligence to improve their defences against advanced attacks, because this forces threat actors to reinvest in new tools. When they pause to retool, it disrupts their operations.”
FireEye believes the group has a collaborative malware development environment and employs focused targeting. It appears to have operated consistently since 2013.
The threat actor’s malware has two primary components. SEEDOOR is often initially delivered to a target system by a downloader. SEEDOOR then creates a backdoor to the victim’s system. SEEDOOR’s built-in functionality includes interacting with the file system, simulating mouse clicks, starting and terminating processes, transferring files, making recordings and screenshots of the desktop, recording sound from a microphone, recording and taking snapshots from webcams, and in some cases collecting Microsoft Outlook emails and attachments.
The threat actor used a variety of lures focused on defense and military topics, as well as issues pertinent to India-Pakistan relations, including regional areas of conflict such as Afghanistan or, separately, Balochistan (a Pakistani province). In multiple instances, the threat actor named the malware attachments the title of news articles from popular Pakistan news sites, including Dawn and the Express Tribune. In multiple cases, the threat actor quickly used the latest news events as themes for lures. The actor also used images of women, including several associated with India or Pakistan.
The significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.
Lure Themes
Terror attacks: Following a terrorist attack in Pakistan on Dec. 29, 2015, the threat actor created a malware variant and titled it to appear as if it was a YouTube video about the attack. The threat actor also capitalized quickly on an attack at an Indian Air Force base in early 2016 as a theme for lure documents.
Defense and Military: The threat actor used a variety of military and defense themes in its decoy documents, including topics related to military training and lifestyle. Multiple lures included specific references to Indian defense or military entities. One decoy document appeared to have classified portion markings and contained information regarding the Indian Ministry of Defence and military research and modernization.
Afghanistan: FireEye observed the threat actor use lures related to the conflict in Afghanistan and relevant peace negotiations, and Afghan diplomatic and government officials.
- See more at: http://computer.financialexpress.com/news/surveillance-malware-used-to-lure-indian-government-and-military-personnel/16695/#sthash.bCjSYLt8.dpuf
FireEye revealed a cyber threat operation in which malware was used against targets in India and Pakistan since at least 2013. The threat group behind the operation likely reached its targets by sending spear phishing emails with malware attachments. The lures used in the email were related to regional military and defense issues, often involving India-Pakistan relations and current events.
Based on the themes used in the emails and decoy documents, it is likely the threat actor intended to target Indian government and military personnel, as well as political dissidents in Pakistan, in order to collect intelligence. “The line between real world conflict and cyber conflict continues to blur. Wherever you see geopolitical tensions you are likely to find cyber campaigns beneath the surface,” said Bryce Boland, FireEye chief technology officer for Asia Pacific. “We help organizations use threat intelligence to improve their defences against advanced attacks, because this forces threat actors to reinvest in new tools. When they pause to retool, it disrupts their operations.”
FireEye believes the group has a collaborative malware development environment and employs focused targeting. It appears to have operated consistently since 2013.
The threat actor’s malware has two primary components. SEEDOOR is often initially delivered to a target system by a downloader. SEEDOOR then creates a backdoor to the victim’s system. SEEDOOR’s built-in functionality includes interacting with the file system, simulating mouse clicks, starting and terminating processes, transferring files, making recordings and screenshots of the desktop, recording sound from a microphone, recording and taking snapshots from webcams, and in some cases collecting Microsoft Outlook emails and attachments.
The threat actor used a variety of lures focused on defense and military topics, as well as issues pertinent to India-Pakistan relations, including regional areas of conflict such as Afghanistan or, separately, Balochistan (a Pakistani province). In multiple instances, the threat actor named the malware attachments the title of news articles from popular Pakistan news sites, including Dawn and the Express Tribune. In multiple cases, the threat actor quickly used the latest news events as themes for lures. The actor also used images of women, including several associated with India or Pakistan.
The significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.
Lure Themes
Terror attacks: Following a terrorist attack in Pakistan on Dec. 29, 2015, the threat actor created a malware variant and titled it to appear as if it was a YouTube video about the attack. The threat actor also capitalized quickly on an attack at an Indian Air Force base in early 2016 as a theme for lure documents.
Defense and Military: The threat actor used a variety of military and defense themes in its decoy documents, including topics related to military training and lifestyle. Multiple lures included specific references to Indian defense or military entities. One decoy document appeared to have classified portion markings and contained information regarding the Indian Ministry of Defence and military research and modernization.
Afghanistan: FireEye observed the threat actor use lures related to the conflict in Afghanistan and relevant peace negotiations, and Afghan diplomatic and government officials.
- See more at: http://computer.financialexpress.com/news/surveillance-malware-used-to-lure-indian-government-and-military-personnel/16695/#sthash.bCjSYLt8.dpuf
FireEye
revealed a cyber threat operation in which malware was used against
targets in India and Pakistan since at least 2013. The threat group
behind the operation likely reached its targets by sending spear
phishing emails with malware attachments. The lures used in the email
were related to regional military and defense issues, often involving
India-Pakistan relations and current events.
Based on the themes used in the emails and decoy documents, it is likely the threat actor intended to target Indian government and military personnel, as well as political dissidents in Pakistan, in order to collect intelligence. “The line between real world conflict and cyber conflict continues to blur. Wherever you see geopolitical tensions you are likely to find cyber campaigns beneath the surface,” said Bryce Boland, FireEye chief technology officer for Asia Pacific. “We help organizations use threat intelligence to improve their defences against advanced attacks, because this forces threat actors to reinvest in new tools. When they pause to retool, it disrupts their operations.”
FireEye believes the group has a collaborative malware development environment and employs focused targeting. It appears to have operated consistently since 2013.
The threat actor’s malware has two primary components. SEEDOOR is often initially delivered to a target system by a downloader. SEEDOOR then creates a backdoor to the victim’s system. SEEDOOR’s built-in functionality includes interacting with the file system, simulating mouse clicks, starting and terminating processes, transferring files, making recordings and screenshots of the desktop, recording sound from a microphone, recording and taking snapshots from webcams, and in some cases collecting Microsoft Outlook emails and attachments.
The threat actor used a variety of lures focused on defense and military topics, as well as issues pertinent to India-Pakistan relations, including regional areas of conflict such as Afghanistan or, separately, Balochistan (a Pakistani province). In multiple instances, the threat actor named the malware attachments the title of news articles from popular Pakistan news sites, including Dawn and the Express Tribune. In multiple cases, the threat actor quickly used the latest news events as themes for lures. The actor also used images of women, including several associated with India or Pakistan.
The significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.
Lure Themes
Terror attacks: Following a terrorist attack in Pakistan on Dec. 29, 2015, the threat actor created a malware variant and titled it to appear as if it was a YouTube video about the attack. The threat actor also capitalized quickly on an attack at an Indian Air Force base in early 2016 as a theme for lure documents.
Defense and Military: The threat actor used a variety of military and defense themes in its decoy documents, including topics related to military training and lifestyle. Multiple lures included specific references to Indian defense or military entities. One decoy document appeared to have classified portion markings and contained information regarding the Indian Ministry of Defence and military research and modernization.
- See more at: http://computer.financialexpress.com/news/surveillance-malware-used-to-lure-indian-government-and-military-personnel/16695/#sthash.bCjSYLt8.dpuf
Based on the themes used in the emails and decoy documents, it is likely the threat actor intended to target Indian government and military personnel, as well as political dissidents in Pakistan, in order to collect intelligence. “The line between real world conflict and cyber conflict continues to blur. Wherever you see geopolitical tensions you are likely to find cyber campaigns beneath the surface,” said Bryce Boland, FireEye chief technology officer for Asia Pacific. “We help organizations use threat intelligence to improve their defences against advanced attacks, because this forces threat actors to reinvest in new tools. When they pause to retool, it disrupts their operations.”
FireEye believes the group has a collaborative malware development environment and employs focused targeting. It appears to have operated consistently since 2013.
The threat actor’s malware has two primary components. SEEDOOR is often initially delivered to a target system by a downloader. SEEDOOR then creates a backdoor to the victim’s system. SEEDOOR’s built-in functionality includes interacting with the file system, simulating mouse clicks, starting and terminating processes, transferring files, making recordings and screenshots of the desktop, recording sound from a microphone, recording and taking snapshots from webcams, and in some cases collecting Microsoft Outlook emails and attachments.
The threat actor used a variety of lures focused on defense and military topics, as well as issues pertinent to India-Pakistan relations, including regional areas of conflict such as Afghanistan or, separately, Balochistan (a Pakistani province). In multiple instances, the threat actor named the malware attachments the title of news articles from popular Pakistan news sites, including Dawn and the Express Tribune. In multiple cases, the threat actor quickly used the latest news events as themes for lures. The actor also used images of women, including several associated with India or Pakistan.
The significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.
Lure Themes
Terror attacks: Following a terrorist attack in Pakistan on Dec. 29, 2015, the threat actor created a malware variant and titled it to appear as if it was a YouTube video about the attack. The threat actor also capitalized quickly on an attack at an Indian Air Force base in early 2016 as a theme for lure documents.
Defense and Military: The threat actor used a variety of military and defense themes in its decoy documents, including topics related to military training and lifestyle. Multiple lures included specific references to Indian defense or military entities. One decoy document appeared to have classified portion markings and contained information regarding the Indian Ministry of Defence and military research and modernization.
- See more at: http://computer.financialexpress.com/news/surveillance-malware-used-to-lure-indian-government-and-military-personnel/16695/#sthash.bCjSYLt8.dpuf