Security researchers have detected a state-sponsored spyware campaign that’s leveraging the Ehdoor backdoor to target entities in India and Pakistan.
In July 2017, security provider Symantec sent a threat intelligence report to its clients. The analysis details a sustained digital espionage campaign dating back to at least October 2016.
Those responsible for the campaign utilize tactics and techniques of a manner that suggests they operate with “similar goals or under the same sponsor” as other attackers. Even so, the exact identity of the attackers is currently unknown. The report proposes the possibility of a nation-state actor, but it doesn’t name a state as the guilty party.
Symantec refused to clarify this ambiguity surrounding attribution. As quoted in a statement provided to The Hill:
“Symantec has substantial investments in complex malware analysis, adversary intelligence and attribution. We provide these services in a confidential manner to our customers and do not comment publicly on the malware analysis, investigation and incident response services we provide.”
If true, this wouldn’t be the first time a state conducted a spyware attack against another state. Lithuania’s intelligence services detected three instances of Russian spyware on government computers. It’s believed the malware exfiltrated government documents and passwords and sent them to a website commonly used by Russian spy agencies.
So how does this newest campaign work?
Rahul Bhatia of Reuters, who gained access to the report, has the answer:
“To install the malware, Symantec found, the attackers used decoy documents related to security issues in South Asia. The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.
“The malware allows spies to upload and download files, carry out processes, log keystrokes, identify the target’s location, steal personal data, and take screenshots, Symantec said, adding that the malware was also being used to target Android devices.”
To infect a computer, the campaign relies on Ehdoor. This trojan opens a backdoor and allows its handlers to upload and download files, take screenshots, and log keystrokes. Ehdoor is also capable of stealing credentials for Skype and Outlook as well as login details saved in most web browsers.
Tim Wellsmore, FireEye threat intelligence director for Asia Pacific, isn’t surprised by the campaign. As he told International Business Times UK:
“South Asia is a hotbed of geopolitical tensions, and wherever we find heightened tensions we expect to see elevated levels of cyber espionage activity. We have long found cross-border cyber espionage activity in the region. Many organizations in South Asia tend to have limited security controls compared to other mature markets. This makes it harder for these firms to detect advanced attacks. This improves the likelihood of return on investment for threat groups undertaking these operations.”
Symantec said in its report that this campaign is constantly updating its malware to enhance its spying capabilities. With that said, all organizations - particularly those in South Asia - should focus on implementing basic security controls including email filtering and malware defenses. They should also conduct phishing simulations with their employees.