22 August 2014

US researchers uncover Pak cyber espionage group targeting India with suspected Govt links

August 20, 2014 

US based researchers have uncovered an Islamabad based cyber espionage group that targets India and is suspected to have direct links with the Pakistani government.
The group, which has been tracked by a joint research team for over a year, is believed to have sent out malware that infects targeted computers in India for key documents and files that are then routed back to Pakistan through a complex online web.

While Pakistan cyber groups have been targeting Indian entities for years, what sets this new report by the FireEye labs and CyberSquared Inc's Threat Connect Intelligence Research Team (TCIRT) apart is the fact that the group is suspected to have direct contact with the Pakistan government, pointing to a larger possible state sponsored effort.

The report titled `Operation Arachnophobia' reveals that the Islamabad based Tranchulas Company is suspected to have initiated the `Bitterbug' malware that is spread through documents that have a key Indian target group. There is little information however in the report on the extent of damage that malware has done to Indian entities.

The malware, which has the ability to identify specific files on the target computer, has been spread through documents like a report last year on the `then-recent death of "Sarabjit Singh"', the Indian national who had been imprisoned in Pakistan on espionage charges as well as an `Indian Government pension memorandum'.

Other documents that were used to spread the bug included a document on the arrest and indictment of diplomat Devyani Khobragade in New York in December last year. 

The researchers indicate that it is highly probable that Tranchulas is connected to the Pakistan government. "It is likely that Tranchulas provides services to the Pakistani government. The offensive cyber initiative services offered by Tranchulas is offered to "national-level cyber security programs" suggesting a commercial demand from "national-level" customers," the report says.

The bug, the report elaborates is directed at India. "Operation Arachnophobia consists of an apparent targeted exploitation campaign, dating back to early 2013, using the BITTERBUG malware family and seemingly directed against entities involved in India-Pakistan issues," the report says, adding that it can `confidently point to many characteristics of a Pakistan-based cyber exploitation effort that is probably directed against Indian targets or those who are involved in India-Pakistan issues'.

How it works:

The BITTERBUG uses India specific documents and files to infect a computer. This can range from a document on the Khobragade affair to a report on Sarabjit Singh and Indian government circulars.

Once in the system, the BITTERBUG scans for files with extensions like .doc, .ppt, .xls, .pdf, .docx, .pptx, .pps, .xlsx .

A file list containing all documents is then generated.

After this a message is sent to the attacker that the computer is compromised. The files are then exported to Islamabad based cyber company.

No comments: