Cisco Talos warns of hacking campaign targeting India’s government, military staff
The campaign uses two commercial and commodity Remote Access Trojan (RAT) families known as NetwireRAT (aka Netwire RC) and WarzoneRAT (aka Ave Maria), it said in published findings on Thursday. “Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture,” said Vishak Raman, director (security business) at Cisco India and SAARC.
The post details how Armor Piercer distributes malicious documents to deliver RATs and gains access to highly confidential information related to government and defence agencies.
The lures used are predominantly around operational documents pertaining to “Kavach”, a two-factor authentication (2FA) app operated by the National Informatics Centre (NIC) and by government employees to access their emails. It utilises compromised websites and fake domains to host malicious payloads, a tactic similar to Transparent Tribe, another advanced persistent threat group.
NIC did not respond to ET’s email on the matter.
“To ensure end-to-end security of India’s most precious assets and information, the government and the defence agencies must implement a layered defence strategy that enables comprehensive visibility and coverage across all endpoints, accelerates response by leveraging automation and orchestration to enrich data, and reduces massive data sets into actionable insights through AI/ML and data analytics,” Raman said. Essentially, security must not be bolted on, but built into every system and process to ensure infallible protection for people and assets, he added.
ALSO READ TECH NEWSLETTER OF THE DAY
IPO-bound Paytm, which recently increased its employee stock options pool from around 24 million to around 61 million, has given almost half of the new options to its founder as a reward for taking the company public.
The earliest instance of this campaign was observed in December 2020, utilizing malicious MS Office documents, known as maldocs, disguised as security advisories, meeting schedules, software installation guides, etc.
The campaign was found to be using multiple techniques and evolved to obfuscate itself and remain in the victim’s environment, evading standard detection techniques and continues to operate even today, Cisco Talos said.
Cisco Talos comprises researchers, analysts and engineers and is one the largest commercial threat intelligence teams in the world, according to its website. Since July, Talos researchers have observed deployment of file enumerators alongside RATs. This indicates that the attackers are expanding their arsenal to target their victims—defence and government personnel in India.