
The NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign tracked as
LUCKY ELEPHANT targeting mostly South Asian governments.
Security experts at NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign, tracked as LUCKY ELEPHANT, targeting mostly South Asian governments.
The campaign was discovered in early March 2019, threat actors behind the LUCKY ELEPHANT campaign use doppelganger webpages to mimic legitimate entities such as foreign governments, telecommunications, and military.

The attacks
According to the experts, threat actors carried out a phishing campaign to lure victims to the websites and provide their credentials, at the time of writing the researchers did not detect any malware associated with
LUCKY ELEPHANT campaign.
The list of the organizations mimicked by hackers includes entities in Pakistan, Bangladesh, Sri Lankan, Maldives, Myanmar, and Nepal.
According to the ASERT, the LUCKY ELEPHANT campaign was carried out by an Indian APT group.
“The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group. Phishing and credential theft
“One of the IP addresses, 128.127.105
Experts discovered two active IP addresses (128.127.105
Below the key findings published by the experts:
- ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government, telecommunications, and military.
- The doppelganger webpages primary purpose is to gather login credentials; we have not observed malware payloads associated with the campaign.
- One IP address used in the LUCKY ELEPHANT campaign was previously used by the suspected Indian APT DoNot Team; and at least one of the domains used for credential harvesting was previously attributed to a Chinese APT group.
“The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites, enticing users to input their credentials. It is unclear exactly how effective and widespread this campaign is at gathering credentials, as well as how any compromised credentials are being used.” concludes ASERT.
“However, it is clear is that the actors are actively establishing infrastructure and are targeting governments in South Asia.”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate
banner=”13″]



