Oslo-based cyber security outfit, Norman Shark, has today released a report detailing a large and sophisticated cyber-attack infrastructure that they suggest originates from India. The attacks, conducted by private threat actors over a period of three years and still ongoing, showed no evidence of state-sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies.

“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” commented Snorre Fagerland, head of research for Norman Shark labs. “The organisation appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organisation of hackers would be conducting industrial espionage for just its own purposes – which makes this of considerable concern.”

The investigation revealed evidence of professional project management practices used to design frameworks, modules and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers.

The discovery began on 17th March when a Norwegian newspaper reported that Telenor, one of the world’s largest mobile phone operators, a member of the world’s top 500 companies, and Norway’s major telecommunications company, had filed a criminal police case for an unlawful computer intrusion. Spear phishing emails targeting upper management appeared to be the source of the infection.

The behaviour pattern and file structure of malware files enabled analysts to search internal and public databases for similar cases. The amount of malware found was surprisingly large, suggesting the Telenor intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.

Norman Shark titled the report “Operation Hangover” after one of the cyber espionage malwares most frequently used in this case.

Based on an analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in more than a dozen countries. Specific targets include government, military and business organisations. Attribution to India was based on an extensive analysis of IP addresses, website domain registrations, and text-based identifiers contained within the malicious code itself.

Share Story: