Pakistani Hacking Team Celestial Force Spies on Indian Govt, Defense

  /     /     /  
Publicated : 23/11/2024   Category : security


Pakistani Hacking Team Celestial Force Spies on Indian Govt, Defense


Against a backdrop of political conflict, a years-long cyber-espionage campaign in South Asia is coming to light.



A Pakistani threat actor has been spying on Indian government-associated entities for at least six years now.
A new report from Cisco Talos has collated years of cyber espionage by a group it calls Cosmic Leopard, under the umbrella title Operation Celestial Force. The Pakistan-based Cosmic Leopard overlaps with but as yet remains distinct from the threat actor known as
Transparent Tribe
. Cosmic Leopards attacks focus on espionage and surveillance against individuals and organizations associated with Indias government and defense sectors, as well as related technology companies.
What were seeing is constant, persistent efforts to infect targets of interest, and establish long-term access, says Asheer Malhotra, Cisco outreach researcher. Im pretty sure that the threat actors themselves dont know specifically what theyre looking for. The intention here is to get as much data as they can, so that they can analyze it and then figure it out at a later stage.
Signs of Cosmic Leopard activity date back to 2016, when it created a Windows version of its
GravityRAT Trojan
.
Since then, Malhotra says, Weve seen a constant evolution in everything they do, basically.
In 2019, for example, the group developed its HeavyLift malware loader, and Android versions of GravityRAT for targeting mobile devices. MacOS, too. Weve also seen a constant evolution in the TTPs [tactics, techniques, and procedures] used by the threat actor. They used to send out phishing messages; now they establish conversations with victims over social media channels. At the same time, theyre setting up new infrastructure which they can use to outrun detection, he explains.
In all, a current Celestial Force attack will look something like this:
First, a spear-phishing email or social media message arrives, containing a malicious document or, more often, a link. The link will seem like a website for downloading a legitimate Android application that, in fact, masks GravityRAT or HeavyLift.
GravityRAT is a fairly standard but powerful mobile Trojan. It can read and delete SMS messages, call logs, and files as well as other device information — about the SIM card, phone number, IMEI, manufacturer, network operator, location, and more.
HeavyLift is an executable masked as a legitimate installer. Typically, it installs both a harmless decoy application and a malicious one on the device. The malicious component can gather and exfiltrate a variety of system data, download further payloads, and check if its running in a virtual machine.
It doesnt have to do any of that, however, to be effective.
HeavyLift has a component that can download and run additional malware on the victim system, but it also gives the victim the ability to upload data to the threat actors cloud, Malhotra explains. In some scenarios, the threat actor simply tells a target over social media about their cloud storage application. The threat actor is being upfront about it. They say this is a cloud storage application, you can store all of your data in it. And once the target starts uploading all of their data, they have access to it, so they dont need to go in and steal from them.
It works so well, says Cisco lead security researcher Vltor Ventura, because If you go to the site, if you go through the UI, its really, really well done. Even while we were investigating the malware, it seemed almost like a legitimate application. It started a discussion between us — like, OK, is this really malicious or not?
Luckily, steering clear of these attacks on mobile devices is simple: only download software from authorized app stores (for Android, thats Google Play). Unless the attacker uses a zero-day, or n-day if the system is not updated, thats pretty much the only way they can get into the Android ecosystem, Ventura notes.
Windows computers lack this simple fix, but they have an advantage all their own.
When you think about Android, organizations dont have that much visibility to whats going on these devices. Its a harder environment for organizations to control. With laptops, there is better visibility, Ventura explains.
With that extra visibility, organizations can apply layered security to prevent one employees wayward click from becoming an organizationwide issue.
When people get a link or when they get a file, they want to see whats inside, he says. Rather than denying reality, we need to go to the next level, and prevent that [decision] from becoming something much worse.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Pakistani Hacking Team Celestial Force Spies on Indian Govt, Defense