Pierluigi Paganini May 20, 2013

Operation Hangover is the title of a report published by Norman Shark that details a sophisticated cyberattack infrastructure that appears to originate from India, conducted by private threat actors with no evidence of state-sponsorship.

Operation Hangover, this is the name assigned by Norman Shark’s security analyst team to an interesting report revealing a large and sophisticated cyber-attack infrastructures that appears to have originated from India.
The cyber attacks have primary purpose of cyber espionage, they seem to be conducted by private entities over a period of three years. The attacks are still ongoing and there is no evidence of state-sponsored commitment, even if principal security experts are convinced that we are facing with a a government intelligence operation.

The concerning news is that the cyber espionage campaign Operation Hangover is still ongoing gathering information from national security targets and private sector companies mostly based in Pakistan and in the United States.

The story begun on March 17th, when a Norwegian newspaper revealed that Telenor, Norway’s major telecommunications company,  denounced to the authorities an unlawful computer intrusion, the attack was malware based and Norman Shark analyst team revealed that many other similar intrusions hit the company.

The Norman Shark’s team discovered that hackers of Operation Hangover used spear phishing emails targeting senior management of corporate and government institutions.

“Spear phishing to carefully-selected target individuals was the primary attack vector identified in the investigation. The attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible. In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.” Report states.

Analyzing IP addresses used by cyber criminals it appears that victims are located in more than a dozen countries, the claim that they are originate from India is based on analysis of IP addresses, website domain registrations and text-based identifiers contained within the malware used for attacks.

The malicious code used in the Operation Hangover campaign relied on various well-known previously identified vulnerabilities in popular software applications and browsers, such as Java and Word documents.

But how is it possible that well know vulnerabilities are exploited for a massive cyber espionage campaign?

The fact that the Operation Hangover was successful suggests that government organizations, defense and private businesses do not properly manage the update of their systems exposing them to serious risks. Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway declared:

“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” “The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”

The words of Fagerland leave no doubt, a group of hackers is targeting with sophisticated techniques an extreme diversity of the sectors, the investigation is still ongoing by international authorities.

The security analysts at Norman Shark evidenced a professional project management approach used for the campaign and the outsourcing of key tasks.

 “Something like this has never been documented before,” “This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” commented Fagerland on code outsourcing and on the fact that hackers exploited well known flaws in popular applications.

Cyber ​​espionage is becoming one of the most frequent activities in cyberspace, its actions can cause devastating effects on entire economies and identify campaigns is becoming more and more complicated, but in cases like this the failure to update the target system has certainly contributed to the success of operations.

Pierluigi Paganini

(Security Affairs – Cyber espionage)