Indian govt, corporates were target of Suckfly cyber baddies: Symantec

18th May 2016
Indian govt, corporates  were target of Suckfly cyber baddies: Symantec
Suckfly... India on their radar

Bngalore, May 18 2016: Net security specialists, Symantec in a blog today has thrown light  on the  activities of an advanced cyberespionage group -- Suckfly -- that  has  conducted long term espionage campaigns against high profile targets including government and commercial organizations in India.
Symantec identified a number of attacks over a two-year period, beginning in April 2014. These attacks occurred in several different countries, but Symantec’s investigation revealed that the primary targets were individuals and organizations primarily located in India. The Indian targets show a greater amount of post-infection activity than targets in the other regions. This suggests that these attacks were part of a planned operation against specific targets in India. The Symantec blog takes an in-depth look at its activities in India along with its attack lifecycle.
Key findings of this research:
Many of the targets Symantec identified were well known commercial organizations located in India. These organizations included one of India's largest financial organizations, a large e-commerce company, the e-commerce company's primary shipping vendor,  one of India's top five IT firms, a US  health care provider's Indian business unit, and two government organizations.
 Suckfly spent more time attacking the government networks compared to all but one of the commercial targets. Additionally, one of the two government organizations had the highest infection rate of the Indian targets.   The  government organization includes links to  departments of India's central government and is responsible for implementing network software for different ministries and departments. The high infection rate for this target is likely because of the organization's access, technology, and information that it has on other Indian government organizations.
Suckfly's attacks on government organizations that provide information technology services to other government branches is not limited to India. They have conducted attacks on similar organizations in Saudi Arabia, likely because of the access that those organizations have.
While most of Suckfly group's attacks are focused on government organisations (32%), technology (29%), e-commerce (14%), financial (14%), shipping (7%) and healthcare (4%) were also targeted by this group.
Suckfly used the Nidiran backdoor along with a number of hack tools to infect the victim's internal hosts. The tools and malware used in this breach were also signed with stolen digital certificates. Read more about the Suckfly attack cycle on the blog.
Attempt to impact India’s Economy
Suckfly targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of the largest financial organizations, and an IT firm that provides support for India’s largest stock exchange.  All of these targets are large corporations that play a major role in India’s economy. Attacking one of these organizations would be detrimental to that organization. By targeting all of these organizations together, Suckfly could have had a much larger impact on India and its economy.
The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. Symantec believes that Suckfly will continue to target organizations in India, and similar organizations in other countries to provide economic insight to the organization behind Suckfly's operations.
Symantec has the following detections in place to protect against Suckfly’s malware:

Antivirus    Backdoor.Nidiran         Backdoor.Nidiran!g1               Hacktool       Exp.CVE-2014-6332

Intrusion prevention system     Web Attack: Microsoft OleAut32 RCE CVE-2014-6332
                                                 Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 2
                                                 Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 4
                                                 Web Attack: OLEAUT32 CVE-2014-6332 3
                                                 System Infected: Trojan.Backdoor Activity 120