What's new

Indian 'attacks' Norwegian telco to get at Pakistan, China

mikkix

SENIOR MEMBER
Joined
May 7, 2010
Messages
2,903
Reaction score
-7
Country
Pakistan
Location
Saudi Arabia
Indian 'attacks' Norwegian telco to get at Pakistan, China

A tale of twisted IP tracks

By Phil Muncaster • Get more from this author

Posted in Security, 21st May 2013 06:42 GMT

Free whitepaper – Best practices for enterprise mobility



Security researchers have uncovered what appears to be a sophisticated targeted attack launched from India and designed to steal information from a range of government and private enterprise victims in Pakistan, China and elsewhere.

What began as an investigation into an attack on Norwegian operator Telenor soon uncovered evidence to show attackers probably hailing from India had been lifting info from business, government, poltical organisations for as long as three years.

Norwegian anti-malware firm Norman AS claimed in its Operation Hangover (PDF) report that although the attack infrastructure appeared “predominantly to be a platform for surveillance against targets of national security interest (such as Pakistan)”, as well as industrial espionage, there is no direct evidence to link it to state-sponsored players.

Attackers used spear phishing techniques, exploiting known Microsoft software vulnerabilities – no zero days – to drop info-stealing malware dubbed "HangOver" onto victims’ machines.

Finding readable folders on a number of C&C servers, the researchers dug deeper to discover several malicious executable digitally signed with a certificate which had been revoked in 2011.

Domains registered by the attackers were almost all privacy protected, while “almost all websites belonging to this attacker has their robots.txt set to ‘disallow’ to stop them from being crawled”, the report continued.

However, the attack is far from advanced, according to security firm Eset, which has also been investigating.

"String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks," the vendor said in a blog post.

The researchers at Norman explained how the initial Telenor attack allowed them to widen the investigation, as follows:

We have direct knowledge of only one attack – the one against Telenor. During this investigation we have obtained malware samples and decoy documents that have provided indications as to whom else would be in the target groups. We have observed the usage of peculiar domain names that are remarkably similar to existing legitimate domains. We have also obtained sinkhole data for a number of domains in question and found open folders with stolen user data in them; enough to identify targets down to IP and machine name/domain level.

These IP addresses hail from a large range of countries globally including China, Russia, France and the US but the vast majority correspond to Pakistan.

Aside from Telenor the report listed other attack targets as energy companies the Eurasian Natural Resources Corporation (ENRC) and Bumi; Porsche Informatik; and Chicago Mercantile Exchange.

“The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin,” the report concludes.

Interestingly, an analysis of the project paths for malware creation revealed a highly organised operation in which “multiple developers are tasked with specific malware deliverances”:

There are many diverging project paths which points towards different persons working on separate sub-projects, but apparently not using a centralised source control system. The projects seem to be delegated into tasks, of which some seem to follow a monthly cycle.

The report also points out that the word “Appin” crops up in various contexts and cases, including malware file names, speculating some actor may be deliberately trying to implicate Indian security company Appin Security Group in the attacks.

The company has now issued a warning notice on its home page urging the public “not to be misled by any communication received through fictitious domains which are purportedly being made by, or on behalf of, our company”.

It also sent a strongly worded statement to The Hacker News claiming the reference to Appin in the report was a “marketing gimmick on the part of Norman AS” and that it has already initiated legal proceedings against the Norwegian firm. ®


Indian 'attacks' Norwegian telco to get at Pakistan, China ? The Register
 
.
“The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin,” the report concludes.

That was it? Even the register seems to think that everything bad that happens to Pakistan must be because of India!
BTW, The Register is like a tabloid of the tech reporting world.
 
. . .
Fair good these attacks did. Since they tried pelting stones at a metal bunker.
Pakistan has already HAD such attacks on its security from MUCH MUCH MUCH more sophisticated approaches (that originated from an ally that shall not be named) and were way way more successful. So their paranoia was already high enough..

The most that these attacks got were personal e-mails or links to dirty jokes.
 
.
Fair good these attacks did. Since they tried pelting stones at a metal bunker.
Pakistan has already HAD such attacks on its security from MUCH MUCH MUCH more sophisticated approaches (that originated from an ally that shall not be named) and were way way more successful. So their paranoia was already high enough..

The most that these attacks got were personal e-mails or links to dirty jokes.


We say NON-STATE ACTORS... :)
 
.
We say NON-STATE ACTORS... :)

No non state actors involved when it comes to our allies.
Very very state actors.. and to be more precise.. the agency that has the highest budget(and has the most supercomputers).
It was almost a lucky chance that a certain fellow(who now ironically works at Microsoft) who was "recruited" in an emergency picked out the trademark.

As mentioned before, its that paranoia that has ALL.. and I mean ALL sensitive information holding electronic devices disconnected from the Internet. No outside USB.. the ports are locked with keys.. no CD... nothing.
Add onto that the insane and somewhat idiotic level of background checks, security and general roughnecks that guard these facilities..

The way to get into these places is to use good old HUMINT and bribery from the top and middle management levels.
 
.
Fair good these attacks did. Since they tried pelting stones at a metal bunker.
Pakistan has already HAD such attacks on its security from MUCH MUCH MUCH more sophisticated approaches (that originated from an ally that shall not be named) and were way way more successful. So their paranoia was already high enough..

The most that these attacks got were personal e-mails or links to dirty jokes.

NSA????:what:
 
.
Fair good these attacks did. Since they tried pelting stones at a metal bunker.
Pakistan has already HAD such attacks on its security from MUCH MUCH MUCH more sophisticated approaches (that originated from an ally that shall not be named) and were way way more successful. So their paranoia was already high enough..

The most that these attacks got were personal e-mails or links to dirty jokes.

No non state actors involved when it comes to our allies.
Very very state actors.. and to be more precise.. the agency that has the highest budget(and has the most supercomputers).
It was almost a lucky chance that a certain fellow(who now ironically works at Microsoft) who was "recruited" in an emergency picked out the trademark.

As mentioned before, its that paranoia that has ALL.. and I mean ALL sensitive information holding electronic devices disconnected from the Internet. No outside USB.. the ports are locked with keys.. no CD... nothing.
Add onto that the insane and somewhat idiotic level of background checks, security and general roughnecks that guard these facilities..

The way to get into these places is to use good old HUMINT and bribery from the top and middle management levels.

How the hell do you always know the juicy bits ! :pissed:

Dirty Jokes between 50 year old something Generals - :bad:
 
.
How the hell do you always know the juicy bits ! :pissed:

Dirty Jokes between 50 year old something Generals - :bad:

I pretend to be dumb when I am actually listening.
Also, going around and meeting people is always good.
Especially if you are only doing it as a social nicety and dont really ever speak to them again.

How the hell do you always know the juicy bits ! :pissed:

Dirty Jokes between 50 year old something Generals - :bad:

Doesnt have to be generals.. all officers and like have some private email accounts they maintain.
 
.
How the hell do you always know the juicy bits ! :pissed:

Dirty Jokes between 50 year old something Generals - :bad:

ROFL, bhai jan, sending these dirty emails and using Facebook is the best use of sarkari internet at the office!

Everybody, not only generals, does it.
 
.
Just finish reading the report. Defense.pk is also referenced on page 20.

http://enterprise.norman.com/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf

Pakistan has been intensely targeted. How long will we take these sort of things lightly as clearly Indian government is behind these attacks. What's most worrying is that the outside sources are giving us these information instead of our own institution find it out in the first place.

detection_distribution.png
 
.

Pakistan Defence Latest Posts

Pakistan Affairs Latest Posts

Back
Top Bottom