A "large and sophisticated cyber-attack infrastructure" emanating from India has hit national security interests and private companies during the last three years.

Indian Hackers Target Pakistan US China
An Indian Border Security Force (BSF) soldier opens a gate at the border with Pakistan in Suchetgarh, southwest of Jammu, January 12, 2013. (Credit: Reuters)

Research published this week by security firm Norman Shark documents a large and extremely organised group of hackers based in India who have used sophisticated techniques over the past three years to attack organisations in sectors ranging from natural resources and telecommunications to law, food and restaurants, and manufacturing.

While the framework has been predominantly used as a platform for surveillance against targets of national security interest, it has also been used for industrial espionage against civilian organisations - including Eurasian Natural Resources Corporation, which is based in London.

Targets in more than a dozen countries were identified, with specific targets including government, military and business organisations. While Pakistan was far and away the most targeted country, there were also significant attacks on targets in Iran, the US and China.

The cyber criminals created bespoke malware and social engineering techniques depending on which country was being targeted. For example in Pakistan they sent emails to their targets with subject lines and attached files relating to ongoing conflicts in the region, regional culture and religious matters.


While the infrastructure and organisation of the group was sophisticated, the malware they created appears to have relied on well-known, previously identified vulnerabilities in Java, Microsoft Word and web browsers.

"The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware," commented Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway.

"It is highly unlikely that this organisation of hackers would be conducting industrial espionage for just its own purposes - which makes this of considerable concern."

In the report, Norman Shark says it cannot say for certain whether the attacks were carried out on behalf of others, and, if they were, who commissioned them - and whether all the attacks were commissioned by one entity or several.

Spear Phishing

The investigation into the group began in March of this year when it was reported that Telenor, Norway's largest telecommunications company had been the victim of an unlawful computer intrusion. The company's systems were infected following a spear phishing attack targeting upper management.

Using automated analytic tools, Norman Shark was able to identify a "surprisingly large" amount of similar malware on internal and public databases, indicating that the Telenor attack was not an isolated case.

The earliest recorded sample found dates back to 2010, but it appears 2012 was a very active year for this group, which saw escalation not only in the numbers of malware files created but also in the number of targets. "There is no sign that the attacks will slow down in 2013, as we see new attacks continuously," the report says.

The investigation was dubbed "Operation Hangover" after one of the most frequently discovered cyber-espionage tools.

While cyber-espionage on this scale has been seen before, it has mainly been associated with countries like China, Russia and the US, and this is the first time we have seen evidence of this type of cyber-espionage from India.

According to Bill Walker, security expert from UK cyber-training firm QA governments across the world are taking the growing threat of cyber crime "particularly seriously," especially threats against critical national infrastructure such as power, utilities and communications - as Telenor found out. "So too are most UK firms ever since, claims a Ponemon report, 90 percent of large businesses have fallen victim to a cyber security breach. There's been a massive surge in the number of cyber-security training courses booked in 2012, up 118% on the previous year, but it's going to take a lot more education to tackle this particular new threat."