14 DAY TRIAL // In a rare incident, security researchers from Proofpoint are reporting on an ongoing cyber-espionage campaign that's currently still taking place against Indian officials.
Named Operation Transparent Tribe, this campaign was first detected on February 11, 2016, when Proofpoint's security team was alerted by two different spear-phishing emails received by officials at the Indian embassies in Saudi Arabia and Kazakhstan, both sent from the same IP address.
This convinced Proofpoint researchers to take a closer look at the emails, and they're now saying in their most recent report that this attack is part of a larger operation that has targeted a large number of Indian officials, not just embassy employees.
Threat group operates via spear-phishing and watering hole attacks
Previous targets included both diplomatic and military resources, but most of the spear-phishing attacks focused on military personnel.
The threat group behind this attack is using spear-phishing emails that contain casual news snippets that are of interest for their targets, usually current news stories.
The links in these malicious emails redirect victims to various sites where the group carries out watering hole attacks, or sometimes have directly linked to applications that eventually infect the victim with a new RAT (Remote Access Trojan) which Proofpoint has named MSIL/Crimson.
Despite being a newly discovered threat, this RAT is quite an advanced cyber-espionage tool, capable of stealing various types of data from the local computer and sending it to a C&C server.
Threat group uses a new RAT to spy on its victims
MSIL/Crimson can collect data through keyloggers, take screenshots of the desktop, record audio and video via the microphone and webcam, and of stealing data from email clients.
Proofpoint has not managed to identify who is behind this threat, but this may be because they don't have enough data to look at. In an interview with Threat Post, Kevin Epstein, VP of Proofpoint's threat operations center says that this campaign is still going on as we speak.
This is a unique situation because most similar cyber-espionage campaigns are regularly uncovered years after they took place, and cyber-security vendors have tons of log data to look at to formulate an opinion of how it happened and who was behind it.
"While our investigation of this threat is ongoing, this serves as an important reminder that wars are no longer waged solely on the ground or in the air," the Proofpoint team explains. "Rather, threat actors (whether from nation-states or private parties with interests in international conflicts) will use a variety of cyber tools to achieve their goals."
