There is much we can learn about coordinated online activities of skilled attackers with nation-state affiliations. The following two write-ups provide a wealth of information about one such attack group, which has been targeting organization in South Asia over the past few years and appears to reside in India:
- ESET: Targeted information stealing attacks in South Asia use email, signed binaries
- Norman and Shadowserver: Operation Hangover: Unveiling an Indian Cyberattack Infrastructure (PDF)
According to these reports, the group engaged in industrial espionage and spying on political activists. The victims resided in many countries, but Pakistan stood out as the most targeted location. The attackers relied on spear phishing to gain initial access to the targeted environment. The emails were thematically appropriate to the targets and included malicious documents that exploited unpatched vulnerabilities. Some of the malware was digitally signed.
The analysts attributed these cyberattack activities to specific source by examining:
- Types and locations of the targeted organizations
- Categories and contents of the data pursued by the attackers
- Contents of decoy documents used for spear phishing
- Debug path and other strings embedded in the malicious programs
- Code-signing certificate details
- Domain registration records of the systems used by the attackers
As the result, Norman and Shadowserver researchers concluded that the attackers apparently operated from India “and have been conducting attacks against business, government and political organizations.” Similarly, ESET analysts concluded “that the entire campaign originates from India.”
In addition, Norman and Shadowserver researchers concluded that the malicious software used in these campaigns was created by multiple software developers who were “tasked with specific malware deliverances.” The developers collaborated, “working on separate subprojects, but apparently not using a centralized source control system.”