A suspected state-sponsored cyberespionage campaign, dating back to October 2016, targeting Indian and Pakistan entities, has reportedly been detected by security experts. Although the identity and motive of the hackers remain a mystery the malware poses a risk to South Asian governments and militaries, Reuters reported, citing security researchers at Symantec that identified the campaign.
Security experts say that the data-stealing spy malware came laced with the Ehdoor backdoor. The backdoor has reportedly been previously used in cyberespionage campaigns against Middle Eastern countries.
The hackers reportedly lured victims by using decoy documents that contained reports relating to security issues, as well as news reports from Reuters, the Hindu and Zee News, that pertained to Kashmir, military issues and an Indian secessionist movement.
Symantec's report about the cyberespionage campaign comes amid rising border tensions between India, Pakistan and China. However, it is still unclear whether the campaign is related to border tensions, especially given that the campaign dates back to last year, experts say.
Symantec told IBTimes UK that it does not "comment publicly on the malware analysis, investigation and incident response services we provide exclusively for our customers".
Gulshan Rai, the director general of CERT-In, which was reportedly established in February to help Indian firms detect and deal with malware, refrained from commenting on the specific campaign. However, he said, "We took prompt action when we discovered a backdoor last October after a group in Singapore alerted us." Rai did not elaborate on whether the backdoor detected was Ehdoor or some other, related to a separate attack.
According to Symantec, the cybercriminals operating the backdoor are continuously updating it with "additional capabilities" for spying campaigns.
"There was a similar campaign that targeted Qatar using programs called Spynote and Revokery," Reuters cited an anonymous security expert as saying. "They were backdoors just like Ehdoor, which is a targeted effort for South Asia."
A FireEye spokesperson said that initial analysis of the malware indicated that it was submitted to a malware testing service by an IP address in Pakistan. However, it is unclear whether the sample was uploaded by a victim or the attackers.
A senior official with Pakistan's Federal Investigation Agency, who reportedly requested anonymity, said that the agency had not received any reports of incidents involving malware from its government IT departments.
It is still unclear as to what organisations or individuals were targeted by the hackers. It is also uncertain as to whether the malware successfully infiltrated any systems to steal sensitive data.
"South Asia is a hotbed of geopolitical tensions, and wherever we find heightened tensions we expect to see elevated levels of cyber espionage activity. We have long found cross-border cyber espionage activity in the region," Tim Wellsmore, FireEye threat intelligence director for Asia Pacific told IBTimes UK. "Many organizations in South Asia tend to have limited security controls compared to other mature markets. This makes it harder for these firms to detect advanced attacks. This improves the likelihood of return on investment for threat groups undertaking these operations."