by David Sancho and Feike Hacquebord
Are cyber-militant groups in Pakistan targeting the Indian military? This is our question when we came across an information theft campaign in India that has stolen passport scans, photo IDs, and tax information from 160 Indian military officers, military attaches stationed in the said country, consultants, and resellers. Some evidence suggests that the attackers behind this campaign, which we’re dubbing “Operation C-Major”, are based out of Pakistan, although no evidence suggests ties to the government.
We came across this operation while monitoring other targeted attack campaigns. While not particularly sophisticated, this operation was still able to get sensitive information that was probably acquired from restricted sources within the Indian government. This shows that targeted attacks don’t need to be well-planned operations backed by a big budget and sufficient resources. What attackers may lack in technical sophistication, they can make up for through tenacity, persistence, and clever social engineering.
Assessment of the Overall Operation
This operation has the information theft capabilities that could be expected of the typical targeted attack – albeit not one that was particularly well-executed. Though probably not as well funded as other targeted attacks, the people behind the operation made do with tenacity in social engineering to get inside target networks.
The attackers were unable to keep their server’s whereabouts completely hidden, leading to the discovery of information concerning the targets involved. The campaign shows that even military officers (supposedly trained to handle suspicious individuals) can fall victim to social engineering ploys. The lack of user education and incident mitigation may well invite more attacks in the future.
Reaching the Targets
As is generally the case, the targets were initially sent emails with subject lines and text that were appropriate to the target. In one example, the emails purported to come from the Indian Defense Minister. This email was sent to the military attaché of a foreign country assigned to India:
Figure 1. Actual email that were sent to the targets (Click to enlarge)
The primary targets were field-grade officers in the Indian military – brigadiers, colonels, lieutenant colonels, majors, and even some lieutenants.
Sloppy coding practices
The malware was compiled into an MSIL binary using Visual Studio. This means that the original source code was probably in VB# (Visual Basic .NET) or C# (the .NET version of C++). This also means that the developers weren’t aware that these programs can be decompiled in a trivial manner: the attackers provided the source code for free. No truly sophisticated attacker would have created and compiled their malware in this manner.
This gave us a clue as to the level of sophistication the attackers had.
Analysis of the malware allowed us to find three C&C servers that this attack used. These servers also contained open directories where the stolen information was stored, allowing us to see what information were stolen.
The data stolen contained ID data such as passport scans and other means of identification, salary and taxation data (mainly in the form of PDF payslips), army strategy and tactical documents, army training documents, and personal photos.
Figures 2-4. Data stolen from the selected targets
One C&C server was hardcoded into the malware itself. We were able to identify that both Windows and mobile malware shared this server, which was located in Pakistan. The same server is believed to be tied to attempts to spy on Android-using members of the Indian military.
The use of a server in Pakistan suggests that at least some of the attackers come from there as well. However, there is no specific evidence that this attack was state-sponsored. The relative lack of sophistication raises many questions as well. However, the targets and the overall objective of the campaign were clear: Indian military officers were targeted, with the acquisition of classified information a key goal of the attack.
Defending against similar threats
Attackers are capable of infiltrating their targets even if they possess more limited means. In the world of cybersecurity, the effort and tools necessary to inflict damage unto their targets are more often miniscule compared to the cost of their campaign succeeding.
In the same way that there are different levels of cybercriminals with varying levels of sophistication, the same thing applies to spies and info-stealing attacks. Methods of defense in the technological realm are, of course, recommended—one could say they are a must nowadays—but do not underestimate plain social engineering attacks on the basis that only cyber-criminals lurk behind all malicious attachments.
The attackers don’t need sophisticated tools in order to conduct a successful targeted attack operation and in cases such as these, the same thing can be said of a successful defense.
Technical details about this attack are covered in the technical brief, “Operation C-Major: Information Theft Campaign Targets Military Personnel in India“.