Fresh APT Found Targeting Indian Military, Diplomats

Evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources has been brought to light.

Proofpoint researchers have found that what initially appeared to be a relatively small email campaign sent to Indian embassies in Saudi Arabia and Kazakstan now appears much broader.

The campaign, known as Operation Transparent Tribe, is connected to watering hole sites targeting Indian military personnel, including faux blogs and news websites (including one called Indian Tribe) designed to attract targets with an Indian emphasis. But, the initiative is overall multi-vector: Phishing and spam figure prominently too. In one case, Operation Transparent Tribe used malicious email to spread weaponized RTF documents exploiting the CVE-2012-0158 Microsoft ActiveX vulnerability.

Regardless of vector, the campaigns have been designed to drop a remote access trojan (RAT) that the researchers dubbed "MSIL/Crimson.” The multistage RAT has a variety of data exfiltration functions, including screen capture and keylogging.

“This is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage,” Kevin Epstein, VP of threat operations center at Proofpoint, told Threatpost. “In the world of crimeware, you rarely see this type of complexity. A nation-state using multiple vectors, that’s significant.”

Further analysis showed that many of the campaigns and attacks appear related by common indicators of compromise, attack vectors, payloads and language, although the exact nature and attribution associated with this APT remains under investigation. The IP addresses involved in the attacks are based in Pakistan.

“While our investigation of this threat is ongoing, this serves as an important reminder that wars are no longer waged solely on the ground or in the air,” researchers said in their report on the campaign. “Rather, threat actors (whether from nation-states or private parties with interests in international conflicts) will use a variety of cyber-tools to achieve their goals.”

Photo © koya979

What’s Hot on Infosecurity Magazine?