India’s Cyberattack Infrastructure

In a detective story worthy of Sherlock Holmes, Norman has uncovered the cyberattack infrastructure that India appears to be using to spy on systems in Pakistan and elsewhere. Anyone interested in a real life IT detective story should read Unveiling an Indian Cyber attack Infrastructure.

On March 17, 2013, the Norwegian press reported that Telenor, the Norwegian telecommunications company, had filed a complaint with the Norwegian police about suspected unlawful intrusion into Telenor’s computer network.  The intrusion appeared to have been accomplished using — you guessed it — spearphishing.  Another example of the triumph of social engineering over technical defenses.

As Norman conducted their investigation they discovered that the attackers had done a very good job of covering their tracks.  But, as in any good detective story, not a perfect job.  The break in the case came when Norman accidentally discovered that the attackers had left behind Command and Control servers which contained readable folders. These folders contained connection logs, keylogs and data uploaded from compromised systems. The folders also contained malicious code. Some of this code was digitally signed. These clues lead to the discovery of a network of IT resources used in the attacks. Using this data, Norman was able to create a domain map of the attack infrastructure.

Norman’s efforts also uncovered decoy documents that were used as bait in the spearphishing emails. Norman observed:

… the attackers have gone to great lengths to make the social engineering aspect as credible and applicable as possible.

Norman’s report includes many samples of compelling bait.  While it is hard to pick just one, this is an example of the compelling materials that were used to lure victims:

decoy document

In addition to highly relevant bait, the social engineering efforts included cleverly devised cousin domains clearly intended to deceive the recipient into believing the bait came from a trusted sender.

At Iconix, our goal is to make this threat vector less effective. Spearphishers deceive employees into making bad email decisions that compromise security. IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.


Comments are closed.