Researchers explained the final payload can capture sensitive information including screenshots, keystrokes, and files from affected system.
An advanced persisted threat (APT) group with links to Pakistan is targeting critical Indian infrastructure of public enterprises, according to a report by cybersecurity firm Seqrite, enterprise arm of Quick Heal Technologies Limited.
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Seqrite is said to have alerted government authorities, and are working with them to keep potential targets safe. It did not name any specific public sector enterprises in its report, but said that firms related to telecommunications, finance and power have been targeted.
The research firm suspects the attack to be a cyber-espionage campaign launched to get access to sensitive information to gain a competitive advantage against India. As part of the campaign, attackers are sending out phishing emails with government-themed documents in an attempt to lure targets into opening the attachments.
The malicious actors have enhanced the attack tools and methods, as compared to last year, to make detection difficult, it noted.
Researchers explained the final payload can capture sensitive information including screenshots, keystrokes, and files from affected system. It can also execute commands specified as part of instructions from C2 servers.
“The group can potentially steal critical intel from the government agencies and their subsequent bodies,” researchers said. “They can even use that information to make more lures and target other Government departments.”
In October last year, reports surfaced that an APT group had targeted Indian Defence units. The latest findings from Seqrite show that the group ‘Operation SideCopy’, active since 2019, appears to be a cyber espionage campaign with links to Pakistan-backed Transparent Tribe group.
According to the Seqrite report, hackers were leveraging compromised websites, which resemble the websites that the targeted organizations would generally access.
Also Read | A ransomware that demands justice, not money
“This revelation further strengthens the claim that Operation SideCopy which is operated by the Transparent Tribe group is originating in Pakistan,” Seqrite said.
Through servers, researchers could identify the targets Critical Infrastructure providing government enterprises in telecom, power, and finance sectors. As several C2s are being used more entities could be on the radar.