The first case of major cyber-espionage originating from India has been revealed in a new report.
Cyber-security firm Norman Shark claims it has found the first example of a large and sophisticated cyber-attack infrastructure that appears to have originated from India.
In the report, released today, the firm's Norwegian research centre says the attacks appear to be conducted by private actors over a period of three years and are still on-going.
They show no evidence of state-sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies.
“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” says Snorre Fagerland, head of research for Norman Shark.
“The organisation appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing.
“It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes, which makes this of considerable concern.”
The investigation revealed evidence of professional project management practices used to design frameworks, modules, and subcomponents.
It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers. “Something like this has never been documented before,” Fagerland adds.
The firm say the discovery is currently under investigation by national and international authorities.
The discovery began on March 17 when a Norwegian newspaper reported that Telenor, Norway’s major telecommunications company, had filed a criminal police case for an unlawful computer intrusion. Spear phishing emails targeting upper management appeared to be the source of the infection.
The behaviour pattern and file structure of malware files made it possible, for security analysts at Norman Shark, to search internal and public databases for similar cases.
The amount of malware found by Norman analysts and their partners was surprisingly large and it became clear the Telenor intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.
Norman Shark titled the report “Operation Hangover” after one of the cyber espionage malwares most frequently used in this case.
Based on an analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in more than a dozen countries. Specific targets include government, military and business organizations.
Attribution to India was based on an extensive analysis of IP addresses, website domain registrations, and text-based identifiers contained within the malicious code itself.
Despite all of the recent media attention on so-called “zero day” exploits encompassing brand new attack methods, Operation Hangover appears to have relied on well-known, previously identified vulnerabilities in Java, Word documents, and web browsers.
“This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” Fagerland says. “Our study, available on the Norman website provides assistance in what security teams need to look for.”