Threat Intelligence

Espionage hacking campaign “Operation Hangover” originates in India

Move over China. India is fast becoming a hotbed of advanced persistent threat (APT) activity.

Researchers at the Oslo, Norway-based security firm Norman on Monday, building on earlier analysis from ESET, released a comprehensive report that examines an espionage infrastructure that has set its sights on targets across the world, but mostly in Pakistan.

Dubbed "Operation Hangover" by Norman because of the use of the word "hangover" in a text string that was included in many of the malware samples researchers studied, the campaign has two objectives: Retrieve national-security information that could be relevant to India and engage in industrial espionage.

Norman researchers first caught a glimpse of the network in March, when the network of Norwegian telco Telenor was hit by malware that was delivered via spear phishing attacks.

"We thought that was pretty interesting, and we started digging into this malware," said Snorre Fagerland, principal security researcher at Norman.

The investigation showed that the operation dated back several years, with the attack infrastructure primarily used as a means to extract security-related information from neighboring Pakistan and, to a lesser extent, China. But there's no indication that any of the efforts are state-sponsored, Fagerland said.

"We just got indications today of more Pakistani targets than I was aware of," he said. "We probably haven't mapped out all of that completely."

Then, beginning last year, the organization began also engaging in corporate and industrial espionage, pointing their malware at a motley collection of sectors. High-profile victims in the United States included the Chicago Mercantile Exchange and a number of law firms and design companies. Austria-based Porsche also was hit, as were a few manufacturing organizations in the U.K. And the campaign appears connected to a recently discovered compromise of an Angolan dissident's computer at a human rights conference in Oslo.

Some of the attacks are leveraging already-patched vulnerabilities in products like Microsoft Word and Oracle's Java, but in many of the cases, the saboteurs are relying on victims merely running an executable. All told, as part of the campaign, Norman has studied 8,000 strains of malware and 600 domains or subdomains that either are serving malware or receiving uploaded data from its targets. However, none of the malware being used is particularly advanced, he added.

ESET researchers agreed, saying the malware didn't employ techniques that could help it evade detection, such as obfuscation or network communication encryption.

"Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns," Jean Ian-Boutin, malware researcher at the security company, wrote Thursday in a blog post. "[P]ublicly available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work."

Fagerland said researchers are convinced all of the attacks are related, based on the malware design that's being used. In addition, they are confident the intruders are operating how out of India, an attribution they attribute to IP addresses, domain registrations and identifiers contained in the malware code.

However, India, despite being a tech-savvy nation, isn't a place that one often associates with well-coordinated digital espionage campaigns, he said, mostly because the country is fairly Westernized and democratized. It's probable, Fagerland said, that the IP theft that is happening is not being done at the government's behest but as part of contract work with some other party that may not even be based in India.

"What I also think we're looking at is there appears to be a market for this kind of service, if it is indeed a service," Fagerland said. "Quite a lucrative market. If we're talking about valuable IP which is being stolen, that is very likely quite expensive."

But compared to China, analyzing the state of APT in India is much easier.

"That seems like a chaotic situation," Fagerland said of China. "You have lots and lots of different people, but it's very difficult to find out how all these people interconnect and how they operate by and large. But when it comes to this actor, everything becomes very niche and tidy. Malware creation is doled out in nice packages. It's very systematic, if not advanced."

Yet, he admitted, there could be many other groups operating in India, performing similar acts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.