Crowdstrike report details active cyber adversaries who are targeting India

09th March 2020
Crowdstrike report details active cyber adversaries who are targeting India

Bangalore, March 9 2020: Global leader in cloud-delivered endpoint protection, CrowdStrike   Inc. suggests that as in 2018, North Korean targeting of the finance and cryptocurrency sectors continued in 2019.
The extent of this targeting includes activity from all named DPRK affiliated. adversaries — from STARDUST CHOLLIMA’s breach of payment processors to smaller-scale cryptocurrency theft in VELVET CHOLLIMA’s deployment of GoldStamp malware. LABYRINTH CHOLLIMA sustained routine operations against cryptocurrency exchanges.  Recent reporting detailed SILENT CHOLLIMA’s use of DTrack malware to compromise ATMs in India.
 According to Reserve Bank of India  IT cell [], India has seen a series of significant and unprecedented events during the last one year, which have brought the issue of cyber security for the Indian banking sector to the fore like never before. The most significant factor in this regard has been the ongoing initiative of the Government of India, through its flagship Digital India programme 
Findings from the just released  2020 CrowdStrike Global Threat Report. indicate that during 2019, financially motivated cybercrime activity occurred on a nearly continuous basis. CrowdStrike observed an increase in incidents of ransomware, maturation of the tactics used, and increasing ransom demands from eCrime actors. Increasingly these actors have begun conducting data exfiltration, enabling the weaponization of sensitive data through threats of leaking embarrassing or proprietary information.
Moving beyond eCrime, nation-state adversaries continued unabated throughout 2019, targeting a wide range of industries. Another key trend in this year’s report is the telecommunications industry being targeted with increased frequency by threat actors, such as China and DPRK. CrowdStrike Intelligence assesses that various nations, particularly China, have interest in targeting this sector to steal intellectual property and competitive intelligence.
Combatting threats from sophisticated nation-state and eCrime adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility. CrowdStrike recommends organizations to pursue the “1-10-60 rule” in order to effectively thwart cyberthreats. 1-10-60 guidelines are the following: detect intrusions in under one minute; investigate in 10 minutes; contain and eliminate the adversary in 60 minutes. Organizations that meet this benchmark are much more likely to eradicate the adversary before an attack spreads from its initial entry point, ultimately minimizing organizational impact. 
Says Adam Meyers, vice president of Intelligence at CrowdStrike:  “2019 brought an onslaught of new techniques from nation-state actors and an increasingly complex eCrime underground filled with brazen tactics and massive increases in targeted ransomware demands. As such, modern security teams must employ technologies to detect, investigate and remediate incidents faster with swift preemptive countermeasures, such as threat intelligence, and follow the 1-10-60 rule."

 On August 5, 2019, India’s Modi administration revoked Article 370 of the nation’s constitution, thereby stripping the relative political autonomy that the Indian state of Jammu and Kashmir enjoyed for seven decades. This action, assessed to be a significant deviation from the status quo, immediately preceded an increase in targeted intrusion activity from adversaries linked to India and Pakistan. These actors include three named adversaries and an unnamed cluster with a suspected affiliation to India.

Active Adversaries
Adversary/ Description
QUILTED TIGER After what appeared to be a one-year hiatus, CrowdStrike Intelligence identified renewed activity from QUILTED TIGER in August 2019. A Kashmir-themed lure was observed delivering the adversary’s bespoke BadNews malware.
VICEROY TIGER In August 2019, VICEROY TIGER made alterations to its bespoke BackConfig malware, updating the download mechanism, persistence mechanism and data obfuscation. CrowdStrike Intelligence also detected intermittent use of malicious Android malware, including the tool known as KnSpy, with July activity targeting users associated with the contested Jammu and Kashmir region.
MYTHIC LEOPARD Unlike the India-based adversaries, MYTHIC LEOPARD was detected consistently throughout the year. Not only has this adversary continued to target Indian government sector entities, but some operations indicated its target scope is expanding.
BitterCircle activity cluster This suspected India-affiliated adversary resumed operations from August to October 2019, using previously identified tools. The actors behind BitterCircle operations target the Chinese and Pakistani government and defense sectors.
For additional information, read a blog on report findings from George Kurtz, CrowdStrike’s co-founder and chief executive officer.
Download the 2020 CrowdStrike Global Threat Report.