The report’s results show that the group’s modus operandi was to send high-level emails to government targets that contained malicious payloads designed to capture sensitive information.
We missed that earlier: Researchers at Seqrite, the cybersecurity arm of Quick Heal Technologies, claim they found sophisticated phishing attempts by a Pakistani-affiliated group targeting India’s critical infrastructure power supplies in the finance, energy and telecommunications sectors. A report published by the company on July 9 also stated that the attacks were aimed at gaining access to sensitive information “including screenshots, keystrokes and files from the affected system”.
MediaNama has reached out to India’s Computer Emergency Response Team (CERT-In) to confirm the alleged attempts after a Seqrite spokesman said its researchers alerted CERT-In and NCIIPC after the discovery and worked with government agencies to to protect possible targets. We will update this report when we receive a response.
Why is that important: In 2019, the Kudankulam nuclear power plant in Chennai was hit by a cyber attack. Investigations were then carried out by the Computer & Information Security Advisory Group (CISAG) of the Department of Atomic Energy (DAE) together with CERT-In. While the government has denied in recent parliamentary responses that there have been any successful cyberattacks on power grids, revealed that a total of 454 (2018), 472 (2019), 280 (2020) and 138 (2021, until June) phishing incidents were observed by CERT-In. However in his Reply, The government has acknowledged that there have been several failed attempts to attack power grids.
How the attacks could have been carried out
The Seqrite report states that the attackers used spear phishing emails to begin initial intrusions into “high-level” government targets.
- The emails would be “government issues” to trick the user into opening them.
- The email content tries to trick the user into extracting the attached zip archive.
- Once extracted, the user could see a document file that is actually a “fake LNK” (shortcut) file.
- As soon as a user opens this file, the virus payload is started while the user can see a lure document to avert suspicion.
- Attackers used compromised websites that are similar to the websites that the target organizations would generally access.
- This would help the virus download the HTA payload and then run it.
According to the report, “the final payload may capture sensitive information such as screenshots, keystrokes and files from the affected system. It can also execute commands given as part of instructions from C2 servers. ”
While the researchers found in most cases that the backdoors were variants of NJRat – a remote access tool that can help steal passwords and key logs and operate webcams remotely – they found one in one case Payload written in C #, a programming language. This, they said, installs an implant that will help the attacker examine the target and install other backdoors. According to the report, the evidence points to a highly organized operation aimed at bypassing most security mechanisms.
What is the connection with Pakistan?
The report said the campaign this year was an extension of Operation SideCopy that it had discovered targeted Indian defense forces last October. In the course of analyzing data that can be accessed by the command-to-control servers (C2) of the operation, Seqrite Researchers found a common IP address that was the first entry in many logs. This, the report said, indicated that the relevant system was likely being used to test the attack before it launched, and using data from whatismyipaddress.com revealed that the provider of that IP address is Pakistan Telecommunication Company Limited. In doing so, she backed up the claim that Operation Sidecopy attacks could have come from a Pakistani group that Seqrite referred to as the “Transparent Tribe Group” in its report last year.
According to the report, Seqrite researchers suspect this attack is a cyber espionage campaign aimed at gathering sensitive information in order to gain a competitive advantage over India.
Foreign cyber attacks on India
In March, a Chinese state-backed group of hackers targeted the IT systems of Indian vaccine manufacturers Bharat Biotech and the Serum Institute of India, according to the cyber intelligence company Cyfirma.
In February, Recorded future, an American company investigating state actors’ use of the Internet, uncovered a Chinese state-sponsored cyber attack targeting India’s power grid and distribution systems. According to Recorded Future, Red Echo, the organization behind the attack, used malware called ShadowPad. The attack has been linked to the unexpected power outage in Mumbai in October 2020, but the government has denied any connection. However, the government said it is aware of ShadowPad and has and appropriate steps taken against it.
Foreign Minister Harsh V. Shringla last month during an open debate by the United Nations Security Council (UNSC) on “Maintaining International Peace and Security: Cybersecurity” allegedly raised concerns about cross-border government-sponsored cyberattacks. Without naming countries, he said: “Some states use their expertise in cyberspace to achieve their political and security-related goals and to indulge in contemporary forms of cross-border terrorism.”
India’s pending cybersecurity policy
India is currently adhering to the Cybersecurity Policy 2013, although a new cybersecurity guideline has been in the works since 2019 and expected should be released by October this year, according to Lt Gen. (Dr) Rajesh Pant, the National Cyber Security Coordinator.
According to Reports, the new policy would address all aspects of cyberspace, including governance or data as a national resource, indigenous skills building and cyber audit.
Meanwhile, another EU government cybersecurity project, the National Cyber Coordination Center (NCCC), is still in full implementation. The NCCC, currently in Phase I implementation, went live in 2017 and was set up to provide “real-time macroscopic views” of cybersecurity threats in India. According to MEITY’s statement on the NCCC to Parliament’s Standing Committee on Information Technology, a lack of funds has hampered its full implementation. However, the ministry said the full-fledged NCCC “will be implemented within a year if the necessary funds are made available”.