Indian organizations are being bombarded with spearphishing and webserver attacks on multiple levels – and there is no end in sight
Kaspersky Lab has reported an increase in aggressive activity against Indian organizations involved in environmental, economic and government policy. The attackers have been targeting organizations for a few years now by abusing a Windows service – Windows Management Instrumentation (WMI) – to get access to sensitive information. The malicious operations have been executed with the help of WMIGhost/Shadow Trojan.
Kaspersky Lab Chairman and CEO Eugene Kaspersky said during his recent visit to Mumbai: “Over the past couple of years APTs have intensely targeted organizations and individuals across India. India’s developing technology base, its geographical location and size, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for ill-intentioned cyber attackers. Unfortunately there is quite a long list of APT groups targeting Indian organizations”.
To establish a foothold in target organizations within the Ghost malicious campaign, the attackers generally re-use current headline news for spearphishing attacks. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, sending out a mis-spelled spoof file called “India US strategic dialouge press release.doc”. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, “united states air force unmanned aircraft systems flight plan 2009-2047.doc”.
Kaspersky Lab detects the WMIGhost family as “Trojan.Win32.Gupd.
“We are seeing more of these current attacks occurring throughout the country, targeting government and military agencies, NGOs, subcontractors and technology developers. The scope of these attacks is getting broader all the time. Meanwhile, other actors are currently working to exfiltrate more data from India. Indian organizations are being bombarded with spearphishing and webserver attacks on multiple levels – and there is no end in sight,” said Eugene Kaspersky.
The list of advanced persistent threat groups targeting Indian organizations is long. Among the malicious campaigns interested in Indian targets we find the infamous Gh0stNet, Shadownet, an Enfal, Red October, NetTraveler, the LuckyCat, the Turla APT, a Mirage, and the Naikon. In some cases, Kaspersky Lab has seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers’ focus on Apple’s OS X devices, and various effective watering holes.