Researchers from FireEye and ThreatConnect recently conducted a joint investigation on a series of targeted attacks that could be linked to the Pakistan.
The experts dubbed the campaign Operation Arachnophobia, a series of attacks begun in early 2013 that seems to have involved a Pakistani security firm.
Researchers detected a custom malware family dubbed Bitterbug used to compromise victims and stole sensitive information, although the researchers haven’t identified targeted organizations, the backdoor was detected on specially crafted documents related to Indian issues.
Security experts know very well the Indian-based hackers in in the past conducted different cyber espionage operations on organization and private company in Pakistan, Operation Arachnophobia could be the response to those cyber attacks.
“It was engineered to collect standard Office documents on your desktop,” “It was very close to Operation Hangover activity… for which India was purportedly responsible.” says Rich Barger, chief intelligence officer at ThreatConnect.
The experts discovered that bad actors behind Operation Arachnophobia have hosted the Bitterbug malware on pilfered US virtual private server to masquerade its origins, the investigator speculated that the Pakistani hosting provider VPSNOC has leased its command and control infrastructure from a US virtual private server provider to make the attacks appear to come from the US.
“The threat actors utilized a hosting provider that is a Pakistani-based company with subleased VPS space within the U.S. for command and control (C2).” states the report.
“It’s where the malware is hosted and used for command and control,” added Rich Barger.
Another relevant discovery made by experts is that the Bitterbug backdoor used by bad actors has only been observed hosted on and communicating with two IP addresses operated by the above Pakistan-based hosting provider.
Why the experts speculated on the possible involvement of a Pakistani security firm?
Because Early variants of the BITTERBUG malware detected by the researchers included build paths containing the strings “Tranchulas” and “umairaziz27”, where Tranchulas is the name of a Pakistani security firm and Umair Aziz is one of its employees.
“The ‘Tranchulas’ name was in a string” of the malware” confirmed says Mike Oppenheim, principal threat intelligence analyst at FireEye. Tranchulas was supposedly a security company with both defensive and offensive cyber capabilities.
Once the experts revealed the details of the investigation, including their hypothesis of the involvement of the security firm, bad actors released a new variant with a modified their binary file paths to make them more generic.
Another interesting discovery of analysts is that employees at both the Pakistan VPSNOC and Tranchulas share same network of contacts on social media, despite the Pakistani security firm denied the circumstance.
“We know about Russia and China… India and Pakistan has room to grow and mature,” Barger says.
The confrontation in the fifth element of warfare, the cyberspace, is also influenced by new actors underestimated in the past which are increasing their cyber capabilities, let’s think to the Iran, the North Korea and the same Pakistan.
Analysis of current political context cannot ignores them.
further details on the Operation Arachnophobia campaign are included in the full report.
(Security Affairs – Pakistan, Operation Arachnophobia)