PROJECT CONFUCIUS: INDIAN MI AND RAW PLAN TO INFILTRATE PAKISTANI INSTALLATION, ISI AND PAKISTANI ARMED FORCES
 |
| RAW's plan to infiltrate Pakistani Nuclear Installation |
An American Internet security company (Lookout Inc) recently revealed that a group of Indian hackers known as Confucius which is suspected to be linked to Indian MI and RAW hackers have carried out a hacking campaign against Pakistani military and nuclear program officials from sometime in 2013 until the end of 2020. The smartphones of victims were attacked with innocent looking apps containing malware called Sunbird that eventually gets user information (contact lists, geolocation history, email, texts and audio and video files) to servers that were known and not the kind normally used by hackers. The infected apps were often Android security or chat and dating apps designed for a Pakistani audience. While thousands of people downloaded the infected apps, fewer than 200 had the malware activated because those users were on a target list of people the Indian intelligence hackers wanted to get data from. The Indian MI and RAW hackers have been active for a long time and known for being especially careful about not being detected as they specialize in hacking organizations who employ lots of defenses against any kind of computer hacking.
The Confucius operation was discovered when some of the stolen data files were discovered before they would be deleted from the unsuspecting storage after Confucius came to get them. This enabled an Internet security firm to track down the infected apps and find out who the targets were. Meanwhile Sunbird is still out there and being improved.
It was also discovered that Sunbird was just an Indian version of a more widely used malware called Sunservice. The Confucius group also used a stealthier and less capable malware called Hornbill. This one only sent back chat data and used far less battery power than Sunbird. Hornbill was actually more widely used as a reconnaissance app, to discover which infected phones were being used by people in the Pakistani military or nuclear weapons programs. If they were not, Hornbill was ordered to erase itself and leave no trace of ever being on the phone. If the user was a target, Hornbill assisted in installing Sunbird before erasing itself. Sunbird took more hacker time and effort to install and operate on an infected phone. Sunbird uploaded a lot of data and this had to be done carefully lest it ran down the battery quickly enough for the user to notice and possibly have the phone checked. That would often reveal the presence of Sunbird.
The campaign appears to be just the latest example of hackers targeting sensitive security targets with social engineering tactics - luring victims to download malicious files disguised as benign applications. What’s unique about attacks by the group, dubbed Confucius, is the extent to which its operators go to veil their efforts, experts say.
Using knock-off web applications disguised as Google security tools and popular regional chat and dating applications, Confucius managed to access 156 victims’ devices in a trove of data recently discovered by the research team. The files and related logs were found in unsecured servers used by the attack group, according to the report. Most of the users who recently accessed those servers were based in Northern India.
Once the attackers penetrate a device, they scrape it for data, including call logs, contacts, geolocation, images and voice notes. In some cases, the hackers took screen shots of the devices and recorded phone calls. In at least one instance, intruders got inside the device of a Pakistani Air Force service member and viewed a contact list filled with other Air Force officials, said Apurva Kumar, Lookout’s staff security intelligence engineer.
“While their technical tools and malwares might not be that advanced, the Confucius threat actor invests human time to gain trust from their targets,” said Daniel Lunghi, threat researcher at the cyber security firm, Trend Micro. “And in certain sensitive fields where people are more cautious, it might be what makes the difference.”
In two cases, researchers discovered that hackers stole the contents of WhatsApp chat conversations from 2017 and 2018 between officials at the Pakistan Nuclear Regulatory Authority, Pakistan Atomic Energy Commission and unknown third-parties. Then in April 2019, in the midst of India’s latest national election, the attackers burrowed into the device of an election official in the Pulwama region of Kashmir, where months earlier an Indian security convoy was attacked by a Pakistan-based Islamic terrorist in a deadly explosion.
Kumar said she couldn’t disclose the details of the stolen data. Her research indicates the espionage campaign ramped up in 2018 after unknown hackers breached the commercial surveillance-ware provider, Retina-X Studios. Hornbill, one of the malware tools used by the attackers, shares code similarities with Retina-X’s Mobile Spy products. Another piece of malicious software called Sunbird, which is capable of remotely commandeering a user’s device, appears to be rooted in code for a stalkerware service called, BuzzOutLoud, based in India.
If you like this article please share this article link in social media, Thanks.
Source:
www.smh.com.au
www.strategypage.com
No comments:
Post a Comment