A distinct number of surveillance exploits, including Operation Hangover, Patchwork, and Dropping Elephant are now believed to be just one group of hackers. The cyber attacks, which all originated in India, are now being banded together under the handle Monsoon. The findings come courtesy of Forcepoint, the infosec firm that has discovered the evidence. The big question on everyone’s mind now, is who are Monsoon and who do they work for?
The hackers, who are based in India, have been on the cybersec radar since 2013. At that time, BlueCoat spotted ‘Operation Hangover’ attacking corporate and government objectives. Including high-profile targets in the US. Unbelievably, the hackers were successfully penetrating sophisticated targets with rather unrefined methods. Including, copy and pasting malware code found online.
When the hackers were discovered in 2013, Norman Shark’s team at BlueCoat found the reason for the penetrations to be cyber espionage. At the time, however, Shark’s team believed that the hackers from India were a private surveillance operation. Since then, however, security experts have started to wonder whether the outfit is, in fact, a state-sponsored enterprise.
Amongst those that were found to have been hacked back in 2013 was Telenor, Norway’s major telecommunications company. As is always the case (with this group of hackers), the penetration was orchestrated using spear-phishing emails. Further analysis revealed that the hackers had also been targeting other government departments and managerial-level corporate marks around the world.
New Evidence Emerges
Fast forward to last month when Cymmetria and Kaspersky Lab discovered Patchwork APT and Dropping Elephant respectively. New evidence of hackers working in India that now Forcepoint believes is all one coherent operation – Monsoon APT.
That is the name that security researchers at Forcepoint Security Labs are giving to all three of the previously discovered hacks. Three individual cyber espionage operations that have now been revealed to be one in the same. A successful ongoing cyber espionage operation that experts now believe may have been underway since 2010!
The discovery was made by Forcepoint, by analyzing the domain names and server infrastructure employed during the cyber attacks. During that process, the firm encountered various overlaps between the three different operations. Including similar Techniques, Tactics, and Procedures (TTPs).
Analysis of IP address data placed the hacks in more than a dozen countries – likely pointing to the use of proxy or shared IP servers. However, in-depth analysis of website domain registrations and text-based identifiers within the attacks revealed the hackers to be in India.
Then something else was noticed! Monsoon, Operation Hangover, Patchwork and Dropping Elephant all appeared to be operating in cycles. The same cycles! Of which the last began in December of 2015.
With all the operations using the same techniques and running at simultaneous periods of time, the connection began to prove itself undeniable.
So, how were the Indian hackers targeting so many managerial level professionals? And government organizations?
Firstly, the spear-phishing email was tailored to revolve around current affairs – in particular, centered around stories concerning the military. Those emails then infected the victim with malicious Microsoft Office files that in turn delivered a backdoor Trojan.
The unwanted Microsoft Office files took advantage of three separate vulnerabilities to deliver the payload. CVE-2012-0158, CVE-2014-6352, and CVE-2015-1641. Two of which may have been used to enable remote code executions as well.
Interestingly, considering the sophistication of the targets that were exploited by the Indian hackers, Cymmetria and Kaspersky admit that the Command and Control (C&C) servers employed are rather non-glamorous. Revolving around simple methodology, involving copy and pasted malware coding. Including a C&C infrastructure hosted on RSS feeds, forums, and GitHub accounts,
‘The modus operandi of “Dropping Elephant” (also known as “Chinastrats”) could hardly be called sophisticated. The attackers rely heavily on social engineering and low-budget malware tools and exploits. However, this approach seems to be effective, which makes this actor a dangerous one.’
According to Kaspersky’s findings, the Indian hackers penetrated a mind-bending 6300 people in 110 countries. Add that to the fact that the espionage efforts continue even now, and you start to realize why these India-based hackers are so troubling.
Considering the level of targets involved, and how little is known about the origin of the attacks, this is a pretty worrying ongoing data hack. So, the big question on everyone’s minds is; who is Monsoon? And who do they work for?
International Monsoon Season
Commenting on the most recent attacks Forcepoint said,
‘The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia.
Among the evidence gathered during the Monsoon investigation were a number of indicators which make it highly probable that this adversary and the Operation Hangover adversary are one and the same.
These indicators include the use of the same infrastructure for the attacks, similar tactics techniques, and procedures, the targeting of demographically similar victims and operating geographically within the Indian Subcontinent.’
With victims having been VIP targets from the US, Pakistan, and now China. It certainly seems they are gathering quite a treasure trove of knowledge, during their surveillance escapades.
Whether the new evidence tying the four attacks together, helps people to evade the group’s hacking efforts is anyone’s guess. The evidence so far, however, suggests that the group may continue to operate even despite being made.
The reason? The methodology used by the Indian hackers relies on mistakes on the part of the victim,
‘Spear Phishing to carefully-selected target individuals was the primary attack vector identified in the investigation. The attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible. In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.’
With that in mind, it would sadly appear that the current Monsoon season is set to go on.