The HangOver Campaign - more on Indian hackers targeting Pakistan

ESET was first off the block, announcing that it had discovered a campaign with leads that "indicate the threat originates from India and has been going on for at least two years.” But now it is clear that another anti-malware company, Norman, has been separately investigating the same campaign; and it is bigger than first thought.

Norman was brought into the picture when it looked into an incident involving Telenor in Norway. Telenor had filed a complaint with the Norwegian police following an unlawful intrusion into its systems. A few days later, the Norwegian CERT (NorCERT) shared some of the details, and Norman started to investigate. That investigation led to the discovery of a major hacking campaign that targeted government and industry around the world; but especially Pakistan.

The same methodology and the same vulnerabilities are detailed in the reports from both ESET and Norman, so there is little doubt that it is the same campaign. Zero-day exploits are not employed - instead the campaign relies on sophisticated spear-phishing with disguised malicious attachments.

Norman, however, went into greater detail in its May 2013 report: OPERATION HANGOVER: Unveiling an Indian Cyberattack Infrastructure. Whilst Norman did mention specific company names which were apparently connected in the report, it also goes to considerble lengths to stress that it is accusing no-one, and that any names it publishes could be entirely innocent and co-incidental. "There are also indicators of involvement by private sector companies or persons connected to these, though these data are circumstantial and may be attempts to implicate said companies," says the report. The report has since been removed from the Norman website.

Similarly, the organization described by Norman clearly has access to the sort of resources commanded by major organizations - or nation states. But, says Norman, "We have no visibility into whether the attacks were done on behalf of others, and if so who commissioned them or whether all attacks were commissioned by one entity or by several."

The attacks may not be as sophisticated as the criminal attacks from Eastern Europe, nor the Comment Crew attacks from China, but they appear to be extensive and successful; and according to Norman, "This infrastructure has been in operation for at least three years, more likely close to four years." India may now need to be added to the hacking geographic lexicon, along with East Europe and China.


What’s hot on Infosecurity Magazine?