A widespread espionage network that targeted a Norwegian telecommunications provider and several groups in Pakistan appears to have links to India, Norway-based security firm Norman AS and the Shadowserver Foundation stated in an analysis released on May 20.
The series of attacks, which researchers dubbed "Operation Hangover," spanned almost four years and appears to have the hallmarks of a nation-state surveillance and industrial-espionage platform.
Yet several oddities make it stand apart from groups previously investigated by security researchers. Unlike attacks attributed to Chinese and U.S. actors, for example, the alleged espionage network did not use zero-day exploits and overwhelmingly targeted Pakistan.
"The methods used were primarily based on different social engineering tactics rather than exploits, but history has shown that social engineering-based attacks can be very successful, confirmed once again by looking at the data we have been able to uncover," the authors stated in the paper.
The report is the first in-depth analysis of an espionage network that appears to be operated by attackers with connections to India. Yet the existence of such an effort is unsurprising: To date, evidence of espionage and sabotage networks operated by China, the United States, Russia, Iran and North Korea have come to light.
In the latest incident, security professionals from Norman AS and the Shadowserver Group investigated an attack on Telenor, a Norwegian telecommunications firm, and found signs of a network of compromised systems created to steal information. The researchers investigating the espionage network caught a break when they discovered that many of the command-and-control servers had publicly accessible folders that contained some of the logs, data and communications of the botnet.
"During this investigation we have obtained malware samples and decoy documents that have provided indications as to whom else would be in the target groups," the researchers stated in the report. "This showed a geographical distribution where Pakistan was the most affected in volume, but also showed a multitude of other countries being represented."
Networks for government agencies, companies and activist groups in Pakistan made up nearly two-thirds of the targeted IP addresses, while groups in Iran, the United States, Taiwan and Singapore made up roughly a quarter of the targets, the investigation found. Among the groups targeted were two secessionist groups as well as the Eurasian Natural Resources Corporation and an international mining group, Bumi PLC, based in Indonesia.
In many of the malware executables and file paths, the name of an Indian company repeatedly surfaced: Appin Security Group. In addition, some domains used by the espionage network appear to have been registered by Appin or someone posing as the company.
The researchers stressed that the strings could easily have been placed in the files and used to register domains as a way to place blame on the company.
"We are not implicating or suggesting inappropriate activity by Appin," they wrote. "Maybe someone has tried to hurt Appin by falsifying evidence to implicate them. Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations. Getting to the bottom of that is beyond our visibility."
The company, which is a security training and consulting firm based in India, has denied having any link to the espionage network, according to one report.