India’s government and energy sector targeted in cyberespionage operation

The operation, labeled ‘Operation FlightNight,’ resulted in 8.81 GB of data stolen.

 Flag, India Flag

A cyberespionage initiative targeting Indian government agencies and the nation’s energy sector has been revealed. This sophisticated operation employs a modified iteration of an open-source data extractor named HackBrowserData, which is proficient in gathering browser login credentials, cookies, and history.

Researchers from EclecticIQ, a cybersecurity firm based in the Netherlands, discovered this campaign in early March. Although they refrained from pinpointing a specific perpetrator, their findings, unveiled later in March, revealed that the infiltrators managed to siphon off a substantial 8.81 GB of data from their targets. This haul potentially paves the way for more profound breaches within India’s governmental infrastructure, caution the analysts.

The researchers report that the payload reached its targets via a phishing PDF document masquerading as an invitation letter from the Indian Air Force. It’s suspected that the original PDF was stolen during a prior breach and repurposed by the assailants. At first glance, the document appeared safe, concealing an LNK file shortcut leading to the malware. Once triggered, the malicious software swiftly initiated its data exfiltration protocol, ferrying away documents and cached browser data to designated channels on the corporate communication platform Slack. Among the stolen data were confidential documents, private emails, and cached browser information. During the data extraction process, the malware exhibits a selective approach, targeting specific file extensions like Microsoft Office documents, PDFs, and SQL database files, presumably to expedite the theft process.

The list of afflicted entities includes Indian agencies overseeing electronic communications, IT governance, and national defence. The hackers stole financial records, employee particulars, and intelligence regarding oil and gas drilling activities from private energy firms.

Though the threat actor’s identity remains unknown, the resemblances in the malware and delivery methodology metadata strongly allude to a linkage with an earlier attack reported in January. During that incursion, threat actors targeted Indian Air Force personnel with a credential-stealing malware dubbed GoStealer.

According to EclecticIQ’s assessment, both operations likely emanate from the same threat actor fixated on infiltrating Indian governmental bodies.