FireEye has revealed recent cyber attacks by a suspected Pakistan-based group against Indian government officials. On May 18, 2016, the group registered a fake news website and sent spear phishing emails to Indian government officials. The emails referenced the Indian Government’s 7th Central Pay Commission, a topic of interest among officials.
“This is another example of real world tensions reflected in cyberspace. There’s no silver bullet to fend off advanced cyber attacks. It’s critical for Indian organizations to bring together the technology, expertise and threat intelligence necessary to quickly detect and respond to these attacks,” said Bryce Boland, Chief Technology Officer for Asia Pacific at FireEye.
The emails sent to government officials were sent from timesofindiaa.in, a fake news domain registered by the attackers. The group attached a malicious Microsoft Word document to the emails, which pretended to be sent by an employee of The Times of India. They requested the recipient open the attachment about the 7th Pay Commission.
The attachment is designed to create a backdoor which FireEye calls the Breach Remote Administration Tool (BreachRAT). FireEye has not previously observed this malicious tool used by these threat actors. It allows the attacks to download and run new programs, upload files from the victims’ systems to the attackers’ servers, and a variety of other functions.
Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.
The suspected Pakistan-based threat group has been active for several years, conducting suspected intelligence collection operations against South Asian political and military targets. The group is the same that FireEye revealed in March 2016 to have conducted cyber attacks against Indian targets and Pakistani dissidents since 2013. They were observed using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment. The infrastructure used by the group is the same in both attacks.