In a report released Monday, security researchers at the Norwegian security firm Norman and the non-profit Shadowserver Foundation provide details of a hacker operation they’re calling “Operation Hangover” that seems to have carried out spying campaigns against the IT subsidiary of Porsche Holdings, Delta Airlines, The Chicago Mercantile Exchange, the Norwegian telecom Telenor, U.S. law firms, mining corporations, and Pakistani targets as well as separatist groups within India. In total, the group operated for more than three years and created hundreds of spoofed domains for the targeted phishing attacks it used to breach victims’ networks. By impersonating a sample of the group’s command and control servers to access its network of compromised machines, the researchers found more than 500 affected IP addresses within Pakistan, along with another 91 in Iran and 34 in the United States.
“What’s new is that you is you have a group operating in a fashion that’s usually associated with China previously, with attacks against both civilian corporations and targets of national security interest,” says Snorre Fagerland, a senior researcher with Norman. “I don’t think we expected to see that at this point from India.”
The researchers began tracking the cyberespionage group after a breach of Telenor in Oslo two months ago. By pulling together clues about the information-collecting spyware found on that network–including the “Hangover” or “Hanove” malware that gives the group its name–as well as the servers used to connect to those infected machines around the world, they found attacks stretching back to September 2010, with the group hitting its peak activity in 2012. In total, the Hangover group produced more than 800 variants of malware, says Fagerland. “The amount of malware we found…was surprisingly large, and it became clear that the Telenor intrusion was not a single attack but part of a continuous effort to attack and compromise governments and corporations around the world,” the researchers’ report reads.
The researchers began to suspect that the cyberspies were Indian when they saw the prevalence of Pakistani targets, as well as campaigns targeting Indian ethnic groups. But the researchers later found what appeared to be Hindi words and names in the code of the trojans they were studying. And finally, the attackers made an amateur mistake, allowing the private registrations of several domains to expire, exposing names and addresses. Two domains, for instance, were registered to Prakesh Jain and Rakesh Gupta at certain offices in the Indian capital of Delhi. In another case, an alleged hacker even posted questions to a public developer forum asking for help with uploading data from a compromised Nokia phone, and revealed enough information to find his full résumé on the freelancing site Elance.
In general, the group lacked the sophistication of what many in the cybersecurity industry now refer to as “advanced persistent threat” hackers with government training and support, says Norman’s Fagerland. The hackers didn’t use any “zero-day” vulnerabilities in software–previously unknown security flaws–but rather focused on social engineering attacks and exploiting older, unpatched bugs in Microsoft Word, web browsers and Java. But the sheer scale and organization of the attacks implies a formal structure to the group, if not a clear link to the Indian government, says Fagerland. “It’s not sophisticated, but it’s systematic, and it works,” he says.
Hackers from India aren’t exactly new. Grassroots groups like the Indian Cyber Army have long engaged in defacement campaigns against Pakistani and Bangladeshi websites, for instance. But the Hangover attacks seem to hint that India, like other countries, may be joining the ranks of countries using the Internet for organized espionage and possibly intellectual property theft. “We’re seeing signs that it’s not just the Chinese moving into this space,” says Fagerland. “It’s probably very lucrative if you can pull it off and not get caught. And the demand for intelligence is not going away.”