Categories: Cyber CrimeSecurity

Operation Hangover, the Indian Cyberattack Infrastructure

Operation Hangover is the title of a report published by Norman Shark that details a sophisticated cyberattack infrastructure that appears to originate from India, conducted by private threat actors with no evidence of state-sponsorship.

Operation Hangover, this is the name assigned by Norman Shark’s security analyst team to an interesting report revealing a large and sophisticated cyber-attack infrastructures that appears to have originated from India.
The cyber attacks have primary purpose of cyber espionage, they seem to be conducted by private entities over a period of three years. The attacks are still ongoing and there is no evidence of state-sponsored commitment, even if principal security experts are convinced that we are facing with a a government intelligence operation.

The concerning news is that the cyber espionage campaign Operation Hangover is still ongoing gathering information from national security targets and private sector companies mostly based in Pakistan and in the United States.


The story begun on March 17th, when a Norwegian newspaper revealed that Telenor, Norway’s major telecommunications company,  denounced to the authorities an unlawful computer intrusion, the attack was malware based and Norman Shark analyst team revealed that many other similar intrusions hit the company.

The Norman Shark’s team discovered that hackers of Operation Hangover used spear phishing emails targeting senior management of corporate and government institutions.

Spear phishing to carefully-selected target individuals was the primary attack vector identified in the investigation. The attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible. In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.” Report states.

Analyzing IP addresses used by cyber criminals it appears that victims are located in more than a dozen countries, the claim that they are originate from India is based on analysis of IP addresses, website domain registrations and text-based identifiers contained within the malware used for attacks.

The malicious code used in the Operation Hangover campaign relied on various well-known previously identified vulnerabilities in popular software applications and browsers, such as Java and Word documents.

But how is it possible that well know vulnerabilities are exploited for a massive cyber espionage campaign?

The fact that the Operation Hangover was successful suggests that government organizations, defense and private businesses do not properly manage the update of their systems exposing them to serious risks. Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway declared:

“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” “The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”

The words of Fagerland leave no doubt, a group of hackers is targeting with sophisticated techniques an extreme diversity of the sectors, the investigation is still ongoing by international authorities.


The security analysts at Norman Shark evidenced a professional project management approach used for the campaign and the outsourcing of key tasks.

 “Something like this has never been documented before,” “This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” commented Fagerland on code outsourcing and on the fact that hackers exploited well known flaws in popular applications.

Cyber ​​espionage is becoming one of the most frequent activities in cyberspace, its actions can cause devastating effects on entire economies and identify campaigns is becoming more and more complicated, but in cases like this the failure to update the target system has certainly contributed to the success of operations.

Pierluigi Paganini

(Security Affairs – Cyber espionage)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.