Cybersecurity tech firm Symantec recently published a report on activities of Suckfly- an advanced cyber espionage group that conducted long-term espionage campaigns against high-profile targets including government and commercial organizations in India.
Symantec identified a number of attacks over a two-year period, beginning in April 2014. These attacks occurred in several different countries, but Symantec’s investigation revealed that the primary targets were individuals and organizations primarily located in India.
The Indian targets show a greater amount of post-infection activity than targets in the other regions. This suggests that these attacks were part of a planned operation against specific targets in India. The Symantec blog on the activities of Suckfly takes an in-depth look at its activities in India along with its attack lifecycle.
Symantec identified well-known commercial organizations in India which were affected by this attack. These organizations include one of India’s largest financial organizations; two government organizations; a large e-commerce company and its primary shipping vendor; a major Indian shipping company, and one of India’s top five IT firms which provides support to India’s largest stock exchange.
All of these targets are large corporations that play a major role in India’s economy. Attacking one of these organizations would be detrimental to that organization. By targeting all of these organizations together, Suckfly could have had a much larger impact on India and its economy.
Suckfly spent more time attacking the government networks compared to others but one of the commercial targets. Additionally, one of the two government organizations had the highest infection rate of the Indian targets.
This department is linked to departments of India’s central government and is responsible for implementing network software for different ministries and departments.
The high infection rate for this target was likely because of the organization’s access, technology, and information that it has on other Indian government organizations.
Suckfly’s attacks on government organizations that provide information technology services to other government branches is not limited to India. They have conducted attacks on similar organizations in Saudi Arabia, likely because of the access that those organizations have.
In addition to above, Suckfly also infected systems of am Indian business unit of a US-based health care provider.
According to the report, Suckfly has the resources to develop malware, purchase infrastructure, and conduct targeted attacks for years while staying off the radar of security organizations.
Symantec believes that Suckfly will continue to target organizations in India, and similar organizations in other countries to provide economic insight to the organization behind Suckfly’s operations.
In 2015, Symantec’s Internet Security threat Report (ISTR) had highlighted the rise in targeted attacks aimed at Indian businesses dealing with critical infrastructure.
Further, the latest edition of the report (ISTR 21) highlighted that Indian organizations were the 6th most targeted in Asia, with targeted organizations on the receiving end of two attacks on an average. 40 percent of BFSI businesses were also attacked at least once.
Symantec has the following detections in place to protect against Suckfly’s malware:
Web Attack: Microsoft OleAut32 RCE CVE-2014-6332
Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 2
Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 4
Web Attack: OLEAUT32 CVE-2014-6332 3
System Infected: Trojan.Backdoor Activity 120