'Operation Shaheen' : Pakistani Military hit by Cyber Attack of 'The White Company'

Sumanta

Sumanta

Active member
Mar 9, 2018
235
238
West Bengal, India
Scare Force: Pakistan military hit by Operation Shaheen malware

Security
 Scare Force: Pakistan military hit by Operation Shaheen malware
State-sponsored attack looks to infiltrate nuclear Air Force

By Shaun Nichols in San Francisco 12 Nov 2018 at 22:14

shutterstock_cyber_spy_hacker.jpg


The Pakistan Air Force is the apparent target of a complex new state-sponsored attack campaign.

Security house Cylance said this week a state-sponsored group – dubbed the White Company by researchers – has been looking to get into the networks of the Pakistani military in a long-term targeted attack campaign known as Operation Shaheen.

Over the last year, Cylance claims, the White Company group has been targeting members of the Air Force with phishing emails that contain remote access trojans which, in turn, install logging and command-and-control malware payloads if activated.

Operating in part behind the facade of a Belgian locksmith business, Operation Shaheen had at first sent out phishing emails with links to compromised websites, then later switched to emails with infected Word documents attached.

In both cases, the researchers found, the emails were specifically crafted to reference topics that would be relevant to appeal to the targets: the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan.

"We cannot say with precision where those documents went, or which were successful. However, we can say that the Pakistan Air Force was a primary target," Cylance said.

"This is evident by the overriding themes expressed in document file names, the contents of the decoy documents, and the specificity employed in the military-themed lures."

Once infected, the malware looks to cover up its tracks layering the payload within multiple packing layers and by evading antivirus packages, currently going undetected by Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal.

This has led the researchers to conclude that the group behind Operation Shaheen, the White Company, is a state-sponsored group with ample resources to carry out extended espionage campaigns.

Nailing down who exactly is behind the group, however, is proving more difficult for Cylance as there are no shortage of groups, both domestic and foreign, who would have an interest in spying on the Pakistani Air Force.

"Pakistan is a tumultuous, nuclear-armed nation with a history of explosive internal politics. Their position on the geopolitical chessboard makes them an obvious target of all the nation states with well-developed cyber programs (i.e. the Five Eyes, China, Russia, Iran, DPRK, Israel)," the Cylance report notes.

"They also draw attention from emerging cyber powers like India and the Gulf nations." ®
Click to expand...
 
  • Informative
  • Like
Reactions: Chain Smoker and R!cK
The Pakistan Air Force is the apparent target of a complex new state-sponsored attack campaign.

Security house Cylance said this week a state-sponsored group – dubbed the White Company by researchers – has been looking to get into the networks of the Pakistani military in a long-term targeted attack campaign known as Operation Shaheen.

Over the last year, Cylance claims, the White Company group has been targeting members of the Air Force with phishing emails that contain remote access trojans which, in turn, install logging and command-and-control malware payloads if activated.

Operating in part behind the facade of a Belgian locksmith business, Operation Shaheen had at first sent out phishing emails with links to compromised websites, then later switched to emails with infected Word documents attached.

In both cases, the researchers found, the emails were specifically crafted to reference topics that would be relevant to appeal to the targets: the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan.

"We cannot say with precision where those documents went, or which were successful. However, we can say that the Pakistan Air Force was a primary target," Cylance said.

"This is evident by the overriding themes expressed in document file names, the contents of the decoy documents, and the specificity employed in the military-themed lures."

Once infected, the malware looks to cover up its tracks layering the payload within multiple packing layers and by evading antivirus packages, currently going undetected by Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal.

This has led the researchers to conclude that the group behind Operation Shaheen, the White Company, is a state-sponsored group with ample resources to carry out extended espionage campaigns.

Nailing down who exactly is behind the group, however, is proving more difficult for Cylance as there are no shortage of groups, both domestic and foreign, who would have an interest in spying on the Pakistani Air Force.

"Pakistan is a tumultuous, nuclear-armed nation with a history of explosive internal politics. Their position on the geopolitical chessboard makes them an obvious target of all the nation states with well-developed cyber programs (i.e. the Five Eyes, China, Russia, Iran, DPRK, Israel)," the Cylance report notes.

"They also draw attention from emerging cyber powers like India and the Gulf nations." ®

Scare Force: Pakistan military hit by Operation Shaheen malware
 
  • Like
  • Informative
Reactions: Chain Smoker, R!cK and Sumanta
Whenever such embarrassing incidents happens to pak I ask myself a very simple question, "Who stands to gain the most from it?" and the answer in almost every case like this one has turned out to be India. Although there is no concrete evidence to suggest that this relatively new APT group is Indian(or of any country for that matter) I always come back to this cost-benefit analysis and the answer always turns out to be India. I don't see how and why US or Israel would stand to gain from attacking paf. Another interesting thing mentioned in the report was that the decoy documents had references to China, pak, turkey themes which just solidifies the could-be fact that this APT very well be an Indian. @Ashwin @randomradio @Defc0n your thoughts on my point?
 
R73 FTW said:
Whenever such embarrassing incidents happens to pak I ask myself a very simple question, "Who stands to gain the most from it?" and the answer in almost every case like this one has turned out to be India. Although there is no concrete evidence to suggest that this relatively new APT group is Indian(or of any country for that matter) I always come back to this cost-benefit analysis and the answer always turns out to be India. I don't see how and why US or Israel would stand to gain from attacking paf. Another interesting thing mentioned in the report was that the decoy documents had references to China, pak, turkey themes which just solidifies the could-be fact that this APT very well be an Indian. @Ashwin @randomradio @Defc0n your thoughts on my point?
Click to expand...

It's just a case of possibility - in the recent past quite a few incidents inside Pakistan have raised eyebrows of people who follow these stuff. I disagree with the part that US-Israel doesn't have anything to gain from this - reason is PAF is heavily China reliant, so it's possible that the actual target was something else. However, yes, I agree that India stands to gain a lot more. But that's the thing, at this point everything we say is merely speculation.
 
  • Like
  • Agree
Reactions: Chain Smoker and R73 FTW
Defc0n said:
It's just a case of possibility - in the recent past quite a few incidents inside Pakistan have raised eyebrows of people who follow these stuff. I disagree with the part that US-Israel doesn't have anything to gain from this - reason is PAF is heavily China reliant, so it's possible that the actual target was something else. However, yes, I agree that India stands to gain a lot more. But that's the thing, at this point everything we say is merely speculation.
Click to expand...
But wouldn't US or Israel directly target china considering they are part of the five eyes and do possess these capabilities to hamper china as well. I mean if for whatever china related intel paf was attacked, I am sure china has it too in their servers. So why not attack china directly. Maybe to avoid giving them the chance to retaliate? Yea it's like you said at this point it's all speculation but I have a feeling its Indian.
Btw could you please guide me to people who follow these stuffs and know about them more. I have been for sometime now an admirer of APT groups
 
Last edited:
R73 FTW said:
Whenever such embarrassing incidents happens to pak I ask myself a very simple question, "Who stands to gain the most from it?" and the answer in almost every case like this one has turned out to be India. Although there is no concrete evidence to suggest that this relatively new APT group is Indian(or of any country for that matter) I always come back to this cost-benefit analysis and the answer always turns out to be India. I don't see how and why US or Israel would stand to gain from attacking paf. Another interesting thing mentioned in the report was that the decoy documents had references to China, pak, turkey themes which just solidifies the could-be fact that this APT very well be an Indian. @Ashwin @randomradio @Defc0n your thoughts on my point?
Click to expand...

Could be anyone. Any country gets to gain from such attacks.
 
  • Like
Reactions: Chain Smoker
R73 FTW said:
Whenever such embarrassing incidents happens to pak I ask myself a very simple question, "Who stands to gain the most from it?" and the answer in almost every case like this one has turned out to be India. Although there is no concrete evidence to suggest that this relatively new APT group is Indian(or of any country for that matter) I always come back to this cost-benefit analysis and the answer always turns out to be India. I don't see how and why US or Israel would stand to gain from attacking paf. Another interesting thing mentioned in the report was that the decoy documents had references to China, pak, turkey themes which just solidifies the could-be fact that this APT very well be an Indian. @Ashwin @randomradio @Defc0n your thoughts on my point?
Click to expand...
Ok I found out. White Company is an Indian APT group and I can say this with absolute certainty. Here is the proof: The maldoc(China-Pakistan-Internet-Security-LAW_2017.doc) used by them in Op Shaheen(or as I like to call it now Op Garud) is the same and this maldoc was reported by alienvault as well in 2018. The hash of the maldoc reported in alienvault's report and the one by cylance is the same too when seen in virustotal! Even though the size of the same maldoc differs a bit, in alienvault's its 300 some kb and in cylance its 500 some kb but as cylance reported that in this op a very high level of obfuscation was used which obviously increases the size of the maldoc. There is also this thread on twitter which says the same thing and another reputed threat hunter said White Company is Indian. Oml people I am actually in awe at the sophistication of our cyberwarfare. The fact that we can compromise the systems of our enemies which such lethality! This new State APT of ours actually brings us in the league of the five eyes:devilish: 🇮🇳
@Defc0n @randomradio @Sahoo
 
Last edited:
  • Like
  • Informative
Reactions: randomradio, warmonger and Chain Smoker
You must log in or register to reply here.
Top Bottom