Espionage-for-hire 'Operation Hangover' originates from India: Reports

Hacking activity detected in the Indian sub-continent, reports reveal an espionage-for-hire service that they claim hacked into Norwegian carrier Telenor.

Published Date
21 - May - 2013
| Last Updated
21 - May - 2013
Espionage-for-hire 'Operation Hangover' originates from India: Re...

India is fast becoming the breeding ground of advanced persistent threat (APT) activity, according to reports.

Researchers at a Norway based security firm named Norman on Monday released a report that have disclosed that an espionage-for-hire service hacked into Norwegian carrier Telenor and recently created a Mac malware to spy on an Angolan activist.

The Mac spyware previously unseen was recently found on the Angolian activist's laptop, reportedly was made by a group of professional Indian hackers who have been in the business of gathering intelligence for the past three to four years.

The chief researcher at Norman's, Snorre Fagerland, began examining the group after Telenor, Norway's largest carrier revealed it was compromised in a phishing attack on executives in the month of March.

Fagerland revealed that the group responsible in the Telenor attack have built an extensive network of over 600 domains that have been used to distribute hundred pieces of 'key logger and other malware', or  'host phishing pages'.

"I think we have about 800 different [malware] samples in our sample set that we know are related to this," Fagerland told ZDNet.

The group uses phishing emails and combined with malware as their main method of attack, said Fagerland, who named the operation 'Hangover' as the term is included in many of the malware samples researchers studied.

"The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware." Fagerland said.

The group targets a range of countries including Pakistan, US, China, Iran, Thailand, Jordan, Indonesia, the UK, Norway, Germany, Austria, Poland and Romania.

Fagerland was sure about the fact that the spyware found on the Angolan activist's computer, was signed with a valid Apple Developer ID account and designed to ward off screen shots from victims.

"The reason we're certain this malware was from the same group is because we know that it connects to the same command and control," he said.

The hackers are not sophisticated enough and depend on exploits for older patched Internet Explorer, Java and Microsoft Word defects. However, the group is well organised, says Fagerland.

"They're good at bulk actions like registering domains in bulk and managing many computers, but the code is not that advanced and the operational security appears to have been really bad in terms of covering their tracks; other players in this environment are much better at that," he said.

"The group appears not to be very advanced, but they are really aggressive in picking targets and once they have picked the target they are trying over and over again," Fagerland said.

The company seems to be sure that the group operates from India as they use the same IP address repeatedly and domain registrations.

In comparison to China, it's much easier to probe into the state of APT activity in India. There could be many groups in India performing similar acts.

Source: ZDnet