The large-scale cyberattacks that hit Norway’s state telecoms firm Telenor in March didn’t originate from China as many assumed but from a previously unknown Indian cybercrime group, an analysis by Norman Shark has found.
Significantly, the incident was not an isolated assault and appears to be part of a much larger industrial espionage campaign targeting multiple firms across the globe, the company said.
Is India a new front line for the spread of large-scale cybercrime?
According to Operation Hangover (co-authored with a Shadowserver Foundation researcher), the mysterious group they now believe was the source of this attack has been especially active in 2012 and so far in 2013 having been in existence for as long as four years.
The Telenor attacks were assumed by some to have come from China simply because large-scale APTs are now firmly associated with that country. It appears they might have underestimated the capabilities of non-Chinese hacking groups doing the job on a jobbing basis.
Having crunched information on what happened form Telenor, Norway’s nation CERT and the Norwegian National Security Authority, the researchers uncovered an extensive, longstanding but not particularly well-secured command & control infrastructure and traces of the custom Trojan malware they used.
On that topic, the typical tactic was to use Visual Basic downloaders modified from the ‘Smackdown’ family, with the adjustment being the work of a single programmer nicknamed “Yash”; the data keylogging was carried out by HangOver variants.
Norman also found evidence not only of the data-stealing attack attempted (but not confirmed to have been successful) against Telenor but directed at a wide range of other firms and countries, including in the US, Iran, China, Taiwan, Thailand, Jordan, Indonesia, UK, Germany, Austria, Poland, Romania and a political activist based in Norway.
However, the largest number of attacks appeared to be against Pakistan, political movements on the sub-continent, with some even conducted against targets in China.
The most likely explanation for the diversity of targets is that the attacks are the work of an ambitious freelance hacking group with some Indian association and a willingness to work as much as possible. There no evidence of Indian state involvement.
The group doesn’t go to great lengths to undermine its targets; software exploits are all known ones rather than zero days. It is also a sizable operation because Norman found hints that the malware it has been turning out is the work of an organised group that uses a division of labour to turn out code quickly.
“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” said Norman Shark’s head of research, Snorre Fagerland.
“The organisation appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world, he said.
“What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes - which makes this of considerable concern.”
At face value, it appears that a bunch of rogue Indian-based developers have set up to rent themselves out to any paymaster, a disturbing development if only because it underlines the way cybercrime is rapidly globalising.
There is nothing hugely complex about the Indian APTs but, of course, many would make the same point about Chinese APTs; their potency is down to their industrial scale, niche targeting, and modus operandi of taking the path of least resistance, namely spear phishing.