Pierluigi Paganini
May 19, 2016
A group of high professional hackers called Suckfly is targeting organizations in India, according to the experts at Symantec the crew conducted long-term espionage campaigns against the country.
Symantec did not disclose the names of the targeted organizations, it only revealed that the list of the victims includes one of India’s largest financial institutions, a top five IT firm, two government organizations, another a large e-commerce company, and the Indian business unit of a US healthcare company.
In March 2016, experts from Symantec, discovered Suckfly targeting South Korean organizations, the hackers were searching for digital certificates to steal. Later the group launched long-term espionage campaigns against organizations across the world, most of them located in India.
“In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations.” states a blog post published by Symantec. “These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.”
The principal weapon in the arsenal of the Suckfly group is the a backdoor called Nidiran that leverage Windows known vulnerabilities to compromise the targets and move laterally within the corporate network.
The experts noticed that the group spent a significant effort to compromise an Indian government department that installs network software for other ministries and departments.
Symantec analyzed the tactics, techniques, and procedures (TTPs) of the hacker group profiling the modus operandi of the attackers. The hackers use to identify employees in the target organization trying to compromise their systems, likely through a spear-phishing attack.
Once inside the target network, the hackers search for other targets to compromise by using hacking tools to move laterally and escalate privileges.
The nature of the targets, the TTPs of the Suckfly group and the working days in which the group is active (The group operates from Monday to Friday) led the experts into believing that it is a nation-state actor.
“These steps were taken over a 13-day period, but only on specific days. While tracking what days of the week Suckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no activity from the group on weekends. We were able to determine this because the attackers’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working. Figure 4 shows the attackers’ activity levels throughout the week. This activity supports our theory, mentioned in the previous Suckfly blog, that this is a professional organized group.” states Symantec.
Who is behind the Suckfly group?
It is hard to link the Suckfly group to a specific Government, Symantec highlighted that its targets have been India, South Korea, Saudi Arabia, and India.
Giving a look to the C&C infrastructure used by the group, we can notice that several domains were registered by users with the addresses of the Russian email service provider Yandex. Of course, this information alone gives us no added value for the attribution, the unique certainly is that the hackers will continue their campaign in the next months.
“The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly’s operations.” states Symantec.
(Security Affairs – Suckfly group, cyber espionage)
