A slew of cyber espionage attacks has targeted high-profile individuals in India, including diplomats and military officials with the help of some not-so-new methods of attack: phishing and watering hole sites.
It was in early February when security firm Proofpoint detected in real time the cyber attacks perpetrated against India’s ambassadors that have their bases in Saudi Arabia and Kazakhstan. Some of the attackers are coming from Pakistan based on the Internet Protocol addresses found by Proofpoint. According to the research’s findings, the attackers employed a wide variety of attack tactics to target those state officials, including watering hole websites and phishing campaigns through bogus emails.
The attackers aimed for the phishing campaign in particular to inject a remote access Trojan that contained a broad range of functions meant to steal data. These functions can gain access to laptop cameras, perform screen capture and conduct the malicious keylogging function.
Reports about cyber espionage activities are not new in modern days. What’s new, however, is detecting live attacks performed by nation states against other nations, particularly their officials and diplomats, in this case India. The attack against Indian diplomats used multiple vectors to significantly boost the attackers’ chances of hitting the target.
Through the years, cyber attacks have become the popular method for waging geopolitical offenses. On top of the political impetus, attackers are also conducting cyber crime in order to gain competitive advantage for themselves or their sponsor states. This kind of attack specifically targets a nation’s critical infrastructure.
The cyber attack against the Indian diplomats is one of an advanced persistent threat, which calls for the formation of several websites to carry out the attacks. For example, one of the attack vectors used an email attachment that contained weaponized RTF documents, which took advantage of an old Microsoft ActiveX flaw. This vulnerability left an embedded and portable executable file for infection.
The Trojan packs a throng of exploits that execute on the target’s computer after decoding and embedding the payload. The infection begins with the appearance of a downloader that would introduce the full feature of the remote access Trojan to the victim’s machine.
Attacks are also using bogus websites that purport to belong to trusted news organizations, as well as fake blog sites that, in reality, only lead users to malicious payloads via links that contain the Trojan. The attackers also attempted to lure victims into sharing the malicious links with the rest of the Indian military.