A cyber attack suspected to have originated in Pakistan in 2012, and which was detected only in February this year by a US cyber group, has been targeting top officials in the Indian military and the Ministry of External Affairs, including diplomats based at India’s embassies in Kazakhstan and Saudi Arabia. These attacks are still going on. The attacks were first detected by Proofpoint, a United States-based cyber security company, which monitors mobile, social and email traffic globally.
Critical security information, stored in the systems of those who are being targeted in this attack, is being extracted through “spear phishing”. Spear phishing is done by sending an email which appears to be from an individual or business familiar to the receiver, but in reality is from a hacker who intends to enter into the system of the receiver.
According to Proofpoint, these hackers, in order to infect the victim’s system, use RATs (Remote Access Trojans) that give them complete hold over the user’s PC, which is then controlled from a different location. RATs are highly sophisticated and comparatively freshly uncovered cyber espionage programs that are difficult to remove once they contaminate a device. They can easily steal different kinds of data stored on the host PC, as well as transmit the same onto a remote server.
Proofpoint first discovered the attack on 11 February 2016 when the official email address of the Indian defence attaché in Kazakhstan, email@example.com (available on the embassy website), received a mail with an attachment, and within two minutes a similar mail with the same attachment was received by the Indian defence attaché in Saudi Arabia at his official email address, firstname.lastname@example.org (available on the embassy website). The name of the attachment, which was a word document, was “HarrasmentcaseShakuntala.doc”. The mail read, “Respected Sir, I am Shakuntala. I am requesting you to please consider my request.” As soon as the unsuspecting recipient, thinking it to be an email from an Indian national who is in trouble, opened the attachment, his system got infected.
All this is documented in the Proofpoint report, a copy of which is with this newspaper.
Similarly, the attackers also used a blog-page, “http://intribune.blogspot.in/” to infest the computers of various Indian officials. This particular page contains news related to the Indian military and carries fake news like “4 Sikh Army Officers being trialed in military court on alleged involvement with KLF”. These articles have links that, when clicked, install RATs on the system. These headlines are designed to attract the attention of the security officials.
To lure the Indian officials, this page has a news article in which an “Indian Army” personnel is warning his senior and junior officers about a possible honey trap, by sharing screenshots of Facebook conversations. The article also has a link to a software, which claims to download the call records of mobile numbers. Once a victim keys in a mobile number to generate the call records of that number, the software generates a file that purportedly contains the call records and asks the person to download it to see the call details. Once this is downloaded, the system gets infected.
The attackers also used the January 2016 Pathankot attack as a bait to get into the systems of the recipients. An email, which was purportedly sent by one “Major General Arvind Dutta” and contained attachments related to “details of terrorist call records, satellite tracking records” was sent to different officials. Once the officials downloaded it, their computers got infected. After this, the attackers were able to take the screenshots of the affected computers.
According to Kevin Epstein, vice president, threat operations centre at Proofpoint, this cyber attack has been designed to reach as many potential victims as possible within the Indian military and diplomatic communities.
He said over email that the attack was carried out through multiple modes including phishing mails that took the recipient to a fake news site from which the RATs would infect the system. “Our analysis indicates that this threat actor has been operating since at least 2012 and individuals within the Indian military and diplomatic corps were targeted,” he said.
According to him, the probe into the source of the attacks pointed to IP addresses and a company based in Pakistan, which has been further validated by additional research. However, according to him, this does not prove that the threat actor in question is a Pakistani state-sponsored group, as the threat actors may be deliberately using such infrastructure to divert attention or cast blame on other parties.
Epstein declined to state whether or not the details of these attacks have been shared with the Indian government.