- A group of Asian hackers are targeting Indian government organisations with malware and trojans according to an investigation by Positive Technologies.
- The group has been active since 2016 and some of their IP addresses have been tracked back to Chinese internet providers.
- The hackers reportedly stole confidential data off of internal servers after infecting the LAN networks of victims.
A hacker group dubbed Calypso APT has been using stolen credentials and remote code execution vulnerability to break into government networks. More than one-third of their attacks have been aimed at India.
The data obtained by Positive Technologies indicates that the APT group is of Asian origin and is Chinese-speaking. In some of the attacks that were registered, the perpetrators accidentally revealed their real IP addresses, which belonged to Chinese internet providers.
According to Positive Technologies, the group first caught their attention in March 2019 but further investigation showed that the attackers have been operational since at least September 2016.
Hacking Indian government organisations
The hackers dealt damage by breaching the network perimeter and injecting a special program. The program then gave them access to the internet network of the system they were hacking.
"These attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,” said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies in a statement.
According to Kuvshinov, the hackers used popular tools like SysInternals, Mimikatz, EternalBlue and EternalRomance to infect LAN networks and siphon away confidential data. They did this by installing malware like Calypso RAT, PlugX and the Byeby Trojan — which was also used in the Sony XY malware campaign in 2017.
In older operating systems like Windows XP and Windows Server 2003, the malware could be found in C:\RECYCLER. In newer operating systems, the trojan was installed in C:\ProgramData.
While most of the attacks by this hacker group were against Indian government organisations, its primary targets also included Brazil, Kazakhstan, Russia, Thailand and Turkey.