India's government, energy sector breached in cyber-espionage campaign

Researchers have uncovered a new espionage campaign targeting Indian government agencies and the country’s energy industry with a modified version of an open-source information stealer called HackBrowserData that can collect browser login credentials, cookies and history.

Researchers at Dutch cybersecurity company EclecticIQ discovered the campaign in early March but didn’t attribute it to a specific threat actor. According to their research, published Wednesday, the hackers exfiltrated 8.81 GB of data from victims. This data could aid further intrusions into the Indian government's infrastructure, the analysts said.

The information stealer was delivered to its victims via a phishing PDF document disguised as an invitation letter from the Indian Air Force. Researchers suggest that the original PDF file was very likely stolen during a previous intrusion and was repurposed by the attackers.

The document itself looked harmless but included a shortcut — a LNK file — pointing to the malware. Once executed, the malware immediately began exfiltrating documents and cached web browser data from the victim's device to channels on the workplace app Slack. The stolen information included internal documents, private email messages and cached web browser data.

EclecticIQ analysts dubbed this campaign “Operation FlightNight” because each of the attacker-operated Slack channels was named “FlightNight.”

During data exfiltration the malware is designed to target only specific file extensions, such as Microsoft Office documents (Word, PowerPoint, Excel), PDF files, and SQL database files on victim devices, very likely to increase the speed of the data theft. 

The victimized government entities included Indian agencies responsible for electronic communications, IT governance and national defense. From the private energy companies, the hackers exfiltrated financial documents, personal details of employees and details about drilling activities in oil and gas.

Although the hacker group behind this campaign wasn’t identified, the similarities in the malware and the delivery technique's metadata “strongly indicate” a connection with an attack reported earlier in January when cybercriminals targeted Indian Air Force officials with a credential stealer malware called GoStealer.

During that campaign, the delivered malware was a variant of a GoStealer, based on open-source malware found on GitHub. It targeted a variety of browsers — Firefox, Google Chrome, Edge, and Brave — and exfiltrated data using Slack.

According to EclecticIQ, both campaigns are likely the work of the same threat actor targeting Indian government entities.

“Operation FlightNight and the Go-Stealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage,” researchers said.