The HackBrowserData infostealer is distributed all over the country. Who is behind this operation?
Researchers from the Dutch company EclecticIQ have revealed a new cyber-espionage campaign called Operation FlightNight, targeting the public sector and the energy industry in India. The attackers used a modified version of the open infostealer HackBrowserData, which can steal browser credentials, cookies, and browsing history.
According to experts published on Wednesday, as a result of the attacks, 8.81 GB of confidential data was stolen. Experts warned that the leak could significantly facilitate further hacks of the Indian government's infrastructure.
The malware was distributed through a phishing PDF document disguised as an invitation from the Indian Air Force. It is assumed that the source file was stolen as a result of one of the previous successful attacks on the Air Force, and then modified by attackers and reused.
The document itself looked harmless, but it contained a malicious shortcut-an LNK file leading to the launch of the infostiler. After activation, the malware immediately began mass exfiltration of valuable information from the infected device to channels prepared in advance by hackers in the Slack messenger.
Among the stolen data were internal documents, personal correspondence of employees and cached information from web browsers. To optimize the attack, the program purposefully searched for files with certain extensions. These were, for example, Microsoft Office documents, PDFs, and SQL databases.
The number of attacked Indian government agencies included agencies that control electronic communications, IT infrastructure and national security. The attackers stole financial reports, personal data of employees and documentation on drilling operations from energy companies.
While no known groups have claimed responsibility for the attacks so far, experts have found similarities between the malware and metadata used and the January GoStealer campaign, which also targeted the Indian military. In that case, hackers stole data using a virus based on open source software from GitHub and exfiltrated it via Slack.
According to EclecticIQ researchers, the same group is behind both operations, actively using open tools for cyber espionage against Indian structures.
Researchers from the Dutch company EclecticIQ have revealed a new cyber-espionage campaign called Operation FlightNight, targeting the public sector and the energy industry in India. The attackers used a modified version of the open infostealer HackBrowserData, which can steal browser credentials, cookies, and browsing history.
According to experts published on Wednesday, as a result of the attacks, 8.81 GB of confidential data was stolen. Experts warned that the leak could significantly facilitate further hacks of the Indian government's infrastructure.
The malware was distributed through a phishing PDF document disguised as an invitation from the Indian Air Force. It is assumed that the source file was stolen as a result of one of the previous successful attacks on the Air Force, and then modified by attackers and reused.
The document itself looked harmless, but it contained a malicious shortcut-an LNK file leading to the launch of the infostiler. After activation, the malware immediately began mass exfiltration of valuable information from the infected device to channels prepared in advance by hackers in the Slack messenger.
Among the stolen data were internal documents, personal correspondence of employees and cached information from web browsers. To optimize the attack, the program purposefully searched for files with certain extensions. These were, for example, Microsoft Office documents, PDFs, and SQL databases.
The number of attacked Indian government agencies included agencies that control electronic communications, IT infrastructure and national security. The attackers stole financial reports, personal data of employees and documentation on drilling operations from energy companies.
While no known groups have claimed responsibility for the attacks so far, experts have found similarities between the malware and metadata used and the January GoStealer campaign, which also targeted the Indian military. In that case, hackers stole data using a virus based on open source software from GitHub and exfiltrated it via Slack.
According to EclecticIQ researchers, the same group is behind both operations, actively using open tools for cyber espionage against Indian structures.
