Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites.
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.
The sustained campaign’s goal, Proofpoint said, was designed to allow attackers to drop a remote access Trojan it calls MSIL/Crimson. The Trojan had a variety of data exfiltration functions, including access to laptop cameras, screen capture functionality and keylogging.
Kevin Epstein, VP of threat operations center at Proofpoint told Threatpost that uncovering nation-state cyber espionage is one thing, but being able to expose it as it is happening is rare.
“This is a multi-year and multi-vector campaign clearly tied to state sponsored espionage,” he said. “In the world of crimeware, you rarely see this type of complexity. A nation state using multiple vectors, that’s significant.”
Hacking has become an increasingly popular and effective weapon in geopolitical conflicts, Epstein said. Groups with ties to most major powers are increasingly using targeted attack campaigns for political and competitive advantage and as a way to perpetrate attacks on critical infrastructure.
Epstein said that typically security analysts only get wind of past campaigns that offer limited insight into pieces of the attack puzzle. With this recent discovery, he said, Proofpoint was able to identify all aspects of the campaign as it was being carried out.
“This was an elaborate advanced persistent threat that required setting up multiple websites, multiple registrations, a build-out of full content sites and hosting sites,” Epstein said.
One attack vector include email attachments that included weaponized RTF documents utilizing the four-year-old CVE-2012-0158 Microsoft ActiveX vulnerability that dropped an embedded, encoded portable executable.
“MSIL/Crimson is a logical extension of existing malware. This discovery is less about the bits and bytes of a specific malware,” Epstein said.
MSIL/Crimson, Epstein said, is a stealthy package of exploits. After successful exploitation and decoding of the embedded payload, MSIL/Crimson will be executed on the victim’s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured remote access Trojan component, he said.
Other attack vectors for MSIL/Crimson included fake blogs and news websites that contained links to malicious payloads via text and image hyperlinks and desirable files that contained MSIL/Crimson.
“These were sites that generated content that was designed to interest people in the armed forces,” Epstein said. “The attackers used topical and original content compelling enough to entice readers to share stories, links and downloads with others in the armed services.”
In Proofpoint’s analysis of the MSIL/Crimson it wrote: “Many of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, although the exact nature and attribution associated with this advanced persistent threat remains under investigation.”