An Indian cyber mercenary for hire? Bad OPSEC and global footprint

Cisco Talos has just published a report unmasking an Indian cyber actor.

The specific operation under investigation was in progress since 2015. An iPhone malware was deployed using an open-source mobile device management suite and targeted exactly 13 mobiles. This seems like a very focused effort.

But the operator is to only blame itself for getting exposed – it followed terrible OPSEC practices.

Firstly, the C&C servers weren’t hardened at all. It seems that Talos scooped up the priceless operational and configuration data lying on them. The exploit writers tested the malware on their own mobiles and their phone numbers seem to have been logged by the C&C.

While poor attempts were made to masquerade as Russian hackers, the attribution is foolproof as the test numbers belonged to the Indian mobile networks. The rest of the targets, too, were Indian.

A quick, 15-minute search over the internet points out some more glaring OPSEC fails.

The cardinal rule of cyber operations is to never ever reuse the attack infrastructure, no matter how miserly you are. Even the NSA (FOXACID) and the CIA (Vault7) made similar mistakes.

One of the domains used in the operation wpitcher[.]com pointed to the name servers of an Indian hosting company ServerGuy, immediately after registration. You don’t leave a domestic footprint, unless you have a death wish. The gentleman at the helm of ServerGuy has an interesting professional background, too.

The second domain voguextra[.]com was earlier flagged and squarely linked to Bahamut in 2017, a cyber espionage nexus targeting Egyptian journalists, Qatari labour rights activists, Kashmiri terror organisations, and foreign policy institutions in other Gulf states. That’s like putting all eggs in one basket – no compartmentalisation at all.

Bahamut also has some noted similarities with Operation Kingfish that targeted the civil society in Qatar and Nepal, discovered by Amnesty International in 2017. Last but not the least, Kaspersky also stumbled upon a zero-day vulnerability in 2016 in the InPage word processing software (prevalent in the Arabic and Urdu speaking geographies) used to hack into Asian banks – linked to one of operator’s secondary domains.

I’m honestly clueless why the actor would resort to such recycling of infrastructure.

At the technical level, I would tag it as an elaborate social engineering toolkit than an actual APT, in a sense that the actor’s CONOPS seems to suggest so. It’s a trait, not a weakness.