The attacks, conducted by private threat actors over a period of three years and still ongoing, showed no evidence of state-sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies.
“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” commented Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway. “The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”
The investigation revealed evidence of professional project management practices used to design frameworks, modules, and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers. “Something like this has never been documented before,” Fagerland added.
The discovery is currently under investigation by national and international authorities.
The discovery began on March 17th when a Norwegian newspaper reported that Telenor, one of the world’s largest mobile phone operators, a member of the world’s top 500 companies, and Norway’s major telecommunications company, had filed a criminal police case for an unlawful computer intrusion. Spear phishing emails targeting upper management appeared to be the source of the infection.
The behavior pattern and file structure of malware files made it possible, for security analysts at Norman Shark, to search internal and public databases for similar cases utilizing Norman’s Malware Analyzer G2 automatic analysis systems. The amount of malware found by Norman analysts and their partners was surprisingly large and it became clear the Telenor intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.
Norman Shark titled the report “Operation Hangover” after one of the cyber espionage malwares most frequently used in this case.
Based on an analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in more than a dozen countries. Specific targets include government, military and business organizations. Attribution to India was based on an extensive analysis of IP addresses, website domain registrations, and text-based identifiers contained within the malicious code itself.
Despite all of the recent media attention on so-called “zero day” exploits encompassing brand new attack methods, Operation Hangover appears to have relied on well-known, previously identified vulnerabilities in Java, Word documents, and web browsers.
“This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” Fagerland concluded.
UPDATE: According to F-Secure, the Mac malware signed with legitimate Apple Developer ID discovered on an African human rights activist's computer at the Oslo Freedom Conference has been deployed by these same attackers.