Ride the Lightning

India's Operation Hangover Cyberattcks Targets Pakistan – and Law Firms

May 23, 2013

As a recent story from SC Magazine reported that researchers at the Oslo, Norway-based security firm Norman released a comprehensive report that examines an espionage infrastructure that has many worldwide targets, but seems to focus on Pakistan.

Dubbed "Operation Hangover" by Norman because of the use of the word "hangover" in a text string that was included in many of the malware samples researchers studied, the campaign has two objectives: Retrieve national-security information that could be relevant to India and engage in industrial espionage.

Norman researchers first discovered the network in March, when the network of Norwegian telco Telenor was hit by malware that was delivered via spear phishing attacks.

The investigation showed that the operation went back several years, with the attack infrastructure primarily used as a means to extract security-related information from neighboring Pakistan and, to a lesser extent, China. There is apparently no indication, at least yet, that the hacking is state-sponsored. But it is notable how many Pakistani targets there are.

Beginning last year, the organization began engaging in corporate and industrial espionage. High-profile victims in the United States included the Chicago Mercantile Exchange and a number of law firms and design companies.

Some of the attacks are leveraging already-patched vulnerabilities in products like Microsoft Word and Oracle's Java, but in many of the cases, the hackers count on victims running an executable.  Norman has studied 8,000 strains of malware and 600 domains or subdomains that either are serving malware or receiving uploaded data from its targets. However, none of the malware being used is particularly advanced or uses obfuscation or network communication encryption.

Researchers are convinced all of the attacks are related, based on the malware design. In addition, they are confident the intruders are operating how out of India, an attribution they attribute to IP addresses, domain registrations and identifiers contained in the malware code.

Some have said that India isn't associated with digital espionage campaigns because it is Westernized and democratized. This causes a Spock-like raise of the eyebrow from me since the U.S. is clearly a player in cyberattacks. But I agree that a large portion of this particular set of cyberattacks, while coordinated, may be just another case of "outsource it (cyberespionage) to India" in search of valuable intellectual property.