• 29 March, 2024
Geopolitics & National Security
MENU

Pak group targets India’s critical infrastructure, cybersecurity firm warns of phishing attack

Sun, 11 Jul 2021   |  Reading Time: 2 minutes

New Delhi [India] July 11 (ANI): A suspected Pakistani group has started modern phishing attacks on India’s sensitive infrastructures such as power, telecom and finance, according to a leading cybersecurity firm.

Pentapostagma reported that a cybersecurity consultant of Quick Heal Technologies said that a suspected Pakistani group has started a wave of sophisticated phishing attacks targeting India’s crucial infrastructure such as power and telecom.

As per the security consultant, the initial intrusion chain begins with a spear-phishing email — an email that is designed to get the user to install a virus, trojan or other malware.

Often, the emails pretend to be from government agencies, and also come attached with a fake document — such as an IT return — and urges the user to download and open it, reported Pentapostagma.

The firm found that the hackers would create fake websites that people working in the targeted organization would generally access.

“The email content attempts to lure the user into extracting the attached zip archive. Upon extraction, the user would see a document file which is in fact an extension spoofed LNK file which is usually seen as shortcuts,” the company said.

“If the user opens the document, the LNK payload gets launched and initiates the malicious activities in the background. To ensure the user is not suspicious, a decoy document is presented to him/her,” it said. LNK is a widely deployed Windows link format that is typically used as a shortcut to launch programs or executables.

“Once the LNK file is launched, it downloads the HTA payload from a compromised domain and executes it via mshta.exe. This HTA file is responsible for showing the decoy document to the user. In addition, it drops an executable of LimShell on disc and executes it.”

The consultant also said most of the backdoors used in this campaign are variants of NJRat, a remote access tool (RAT) or trojan which allows the holder of the programme to control the end-user’s computer.

The cybersecurity consultant found that the command and control servers were from Pakistan.

“Upon thorough analysis of the attack chain, the command-and-control (C2) server communication, and the available telemetry data, researchers at Seqrite (the security consultant) could identify some compromised websites that are being used to host the attack scripts and act as C2 servers.

“Further analysis of data accessible from some C2 servers led researchers at Seqrite to an IP address that was commonly found across different C2 servers. In fact, this IP address turned out to be the first entry in many logs, which indicated that the corresponding system is likely being used for testing the attack before launch.

Further investigation of that IP, it said, revealed that the provider of that IP address is Pakistan Telecommunication Company Limited.

“This revelation further strengthens the claim that Operation SideCopy which is operated by the Transparent Tribe group is originating in Pakistan. The report further revealed the list of targets that were identified through the analyzed C2s. These targets include Critical Infrastructure PSUs from telecom, power, and finance sectors.

“This is likely only a subset of targets since there are several other C2s being used in Operation SideCopy APT, which are probably targeting other entities,” it noted.

Seqrite alerted the government authorities and are working with them to keep potential targets safe, Pentapostagma further reported. (ANI)



Chanakya Forum is now on . Click here to join our channel (@ChanakyaForum) and stay updated with the latest headlines and articles.

POST COMMENTS (2)

P.S. eudonym

Jul 11, 2021
Pakistan attacks India on all fronts with its full force and little capability that they have. What is stopping us from Retaliating or Pre-emptive cyber strikes? What's the use of India being a so called IT hub when we can't utilize that ability for National Security and National Interest? There is a vacuum in International Cyber Security Rules and Framework and we need to take advantage of this to launch a devastating counter cyber-attack on our enemies.

BHAVIL GOYAL

Jul 11, 2021
So the ceasefire violation has a different face now. India should also create a cyberexpert team consisting of hackers and de- encryption experts. We should realise that existence of pakistan is detrimental to India's national security, for us to flourish we must cease to exist.

Leave a Comment

Featured Articles

Popular News