Pakistani hackers posed as members of the press in an effort to compromise the computers of government officials in India, an American cybersecurity firm said Friday.
After creating a fake news website, suspected Pakistani hackers emailed various Indian officials in mid-May with messages containing a malicious Microsoft Word document that had been crafted to exploit a 4-year-old vulnerability affecting Windows computers, researchers at FireEye wrote on the security firm’s blog this week.
The emails were sent so that they would appear to come from the “News Desk” at the Times of India, and recipients were advised to download an attachment to read a report purportedly concerning the 7th Pay Commission, a financial advisory group intermittently established by the Indian government.
“These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees,” wrote Yin Hong Chang and Sudeep Singh of FireEye.
Instead of containing legitimate information, however, the malformed attachments were designed in a manner that put anyone who opened the file at risk of being hacked.
By exploiting a Microsoft vulnerability that was first publicized in 2012, the malicious Word file aimed to create a backdoor on the infected computers that could be used later on by hackers to remotely and surreptitiously run commands on the compromised machines.
FireEye said that an analysis of the malware revealed that communications to those potentially infected computers were routed through a previously known Internet address associated with a Pakistan-based advanced persistent threat (APT) group, and that those hackers have been targeting south Asian political and military targets for several years.
Cyber campaigns in which specific individuals are targeted with custom, often innocuous-seeming emails are referred to as “spear-phishing.” The U.S Department of Homeland Security’s Industrial Control Systems Cybersecurity Emergency Response Team, or ICS-CERT, said in April that nearly 100 attacks against the critical manufacturing sector in 2015 involved the tactic.
“Being relatively easy to execute and demonstrably effective, spear-phishing continues to be a common method of initial access against critical infrastructure targets,” ICS-CERT said at the time.
Indeed, the U.S. government used a similar tactic in 2007 to narrow in on an individual accused of sending bomb threats to a Washington state high school.
Court documents related to the case later revealed that an FBI agent forwarded a link to the suspect’s MySpace account, which appeared to link to an Associated Press article published by the Seattle Times website, but actually contained malware that was loaded onto the recipient’s computer and subsequently allowed authorities to identify the individual’s location.
“We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. … Not only does that cross a line, it erases it,” Seattle Times editor Kathy Best said when details about the operation were revealed in 2014.
A representative with FireEye told The Washington Times on Friday that a confidentiality agreement prevented the company from saying which government agencies in India were targeted, as well as how many officials received the email and if any of them were compromised as a result of the campaign.
In a blog post, however, its researchers said they were hardly surprised by the tactics relied upon in launching last month’s assault.
“As with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit,” the researchers wrote. “It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.