An espionage campaign based in India is targeting Pakistan infrastructure in a bid to steal national-security information, researchers say.
The campaign was dubbed Operation Hangover by Norway-based security firm Norman ('hangover' appeared in a malware text string) which first caught a glimpse of the network in March when Norwegian telco Telenor was hit by malware delivered via spear phishing attacks.
"We thought that was pretty interesting, and we started digging into this malware," Norman principal security researcher Snorre Fagerland said.
The investigation showed that the operation dated back several years, with the attack infrastructure primarily used as a means to extract security-related information from neighbouring Pakistan and, to a lesser extent, China.
But there's no indication that any of the efforts are state-sponsored, Fagerland said.
"We just got indications today of more Pakistani targets than I was aware of," he said. "We probably haven't mapped out all of that completely."
Early last year the attacks delivered malware at a motley collection of sectors affecting high-profile victims in the United States included the Chicago Mercantile Exchange and a number of law firms and design companies.
Austria-based Porsche was also hit, as were a few manufacturing organisations in the UK.
The campaign appears connected to a recently discovered compromise of an Angolan dissident's computer at a human rights conference in Oslo.
Some of the attacks are leveraging already-patched vulnerabilities in products like Microsoft Word and Oracle's Java, but in many of the cases, the saboteurs are relying on victims merely running an executable.
All told, as part of the campaign, Norman has studied 8000 strains of malware and 600 domains or subdomains that either are serving malware or receiving uploaded data from its targets. However, none of the malware being used is particularly advanced, he added.
ESET researchers agreed, saying the malware didn't employ techniques that could help it evade detection, such as obfuscation or network communication encryption.
"Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns," malware researcher Jean Ian-Boutin said.
"[P]ublicly available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work."
Fagerland said researchers are convinced all of the attacks are related, based on the malware design that's being used. In addition, they are confident the intruders are operating how out of India, an attribution they attribute to IP addresses, domain registrations and identifiers contained in the malware code.
However, India, despite being a tech-savvy nation, isn't a place that one often associates with well-coordinated digital espionage campaigns, he said, mostly because the country is fairly Westernised and democratised.
It's probable, Fagerland said, that the IP theft that is happening is not being done at the government's behest but as part of contract work with some other party that may not even be based in India.
"What I also think we're looking at is there appears to be a market for this kind of service, if it is indeed a service," Fagerland said. "Quite a lucrative market. If we're talking about valuable IP which is being stolen, that is very likely quite expensive."
But compared to China, analysing the state of persistent threats in India is much easier.
"That seems like a chaotic situation," Fagerland said of China. "You have lots and lots of different people, but it's very difficult to find out how all these people interconnect and how they operate by and large. But when it comes to this actor, everything becomes very niche and tidy. Malware creation is doled out in nice packages. It's very systematic, if not advanced."
Yet, he admitted, there could be many other groups operating in India, performing similar acts.