APT Targets India from Midwest

Friday, August 9, 2013 @ 03:08 PM gHale

There is a malware-based attack targeting Indian military or government entities, designed to steal information, and it is coming from systems in the Midwest of the U.S., researchers said.

The malware linked to the attack “contains specific artifacts that [link it] to a commercial Pakistani entity,” said researchers at security intelligence firm ThreatConnect.

Espionage Program Still in Full Swing
Chinese APT Worked through Cloud
Espionage Campaign Uncovered
Utility Blackouts as a Weapon

The malware samples, which come in tainted PDF containing pension information from the Indian government or a Flash video file, were on the systems of a small U.S. Midwest ISP.

On the same subnet in Kansas City, MO, researchers found a .zip file full of malware under the guise of a decoy document detailing Pakistani incompetence in locating Osama Bin Laden.

“There are several different self-extracting archive samples (likely targeting campaigns) which used two different decoy methods. One of the decoy methods used PDFs, the second decoy method was Flash videos,” said Rich Barger, director of the ThreatConnect Intelligence Research Team (TCIRT).

“In all instances the malware was shrouded within India/Pakistan-themed content and was hosted with a small subnet that doubled as a command-and-control point,” he said.
Researchers said words hidden in the malware binaries refer to an infosec company called Tranchulas, as well as one of its employees.

Tranchulas, which does consultancy work for the Pakistani government and Telenor Pakistan, and denied any involvement, saying the writers of the malware added their name to the malware.

ThreatConnect contacted the hosting company of the server. They were not immediately available.

Meanwhile, Tranchulas denied any involvement in the advanced persistent threat (APT):

“ThreatConnect published a detailed analysis report on 2nd August 2013 on the malware which uses HTTP service to “collect and exfiltrate documents from victim’s network.” As per subject report, this malware uses aliases that belong to Tranchulas and one of its employees.

“The report published in the ThreatConnect has been made on assumptions without thorough investigation concluding that Tranchulas is involved directly or indirectly in the activity of cyber espionage.”

While China often suffers blame for online attacks that use malware and spear phishing to extract information and normally focus on stealing blueprints from key industries such as aerospace and clean energy, ThreatConnect’s research, though inconclusive about who might be responsible, suggests regional tensions between India and Pakistan are beginning to spawn APT attacks.

Leave a Reply

You must be logged in to post a comment.