430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cyber spies from Suckfly group hacked organizations in India

A crew of cyber spies named Suckfly group is targeting organizations in India, it conducted long-term espionage campaigns against entities in the country. A group of high professional hackers called Suckfly is targeting organizations in India, according to the experts at Symantec the crew conducted long-term espionage campaigns against the country. Symantec did not disclose the […]

Cyber spies from Suckfly group hacked organizations in India

A crew of cyber spies named Suckfly group is targeting organizations in India, it conducted long-term espionage campaigns against entities in the country.

A group of high professional hackers called Suckfly is targeting organizations in India, according to the experts at Symantec the crew conducted long-term espionage campaigns against the country.

Symantec did not disclose the names of the targeted organizations, it only revealed that the list of the victims includes one of India’s largest financial institutions, a top five IT firm, two government organizations, another a large e-commerce company, and the Indian business unit of a US healthcare company.

In March 2016, experts from Symantec, discovered Suckfly targeting South Korean organizations, the hackers were searching for digital certificates to steal. Later the group launched long-term espionage campaigns against organizations across the world, most of them located in India.

“In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations.” states a blog post published by Symantec. “These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.”

The principal weapon in the arsenal of the Suckfly group is the a backdoor called Nidiran that leverage Windows known vulnerabilities to compromise the targets and move laterally within the corporate network.

The experts noticed that the group spent a significant effort to compromise an Indian government department that installs network software for other ministries and departments.

Symantec analyzed the tactics, techniques, and procedures (TTPs) of the hacker group profiling the modus operandi of the attackers. The hackers use to identify employees in the target organization trying to compromise their systems, likely through a spear-phishing attack.

Once inside the target network, the hackers search for other targets to compromise by using hacking tools to move laterally and escalate privileges.

Suckfly group

 

The nature of the targets, the TTPs of the Suckfly group and the working days in which the group is active (The group operates from Monday to Friday) led the experts into believing that it is a nation-state actor.

“These steps were taken over a 13-day period, but only on specific days. While tracking what days of the week Suckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no activity from the group on weekends. We were able to determine this because the attackers’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working. Figure 4 shows the attackers’ activity levels throughout the week. This activity supports our theory, mentioned in the previous Suckfly blog, that this is a professional organized group.” states Symantec.

Who is behind the Suckfly group?

It is hard to link the Suckfly group to a specific Government, Symantec highlighted that its targets have been India, South Korea, Saudi Arabia, and India.

Giving a look to the C&C infrastructure used by the group, we can notice that several domains were registered by users with the addresses of the Russian email service provider Yandex. Of course, this information alone gives us no added value for the attribution, the unique certainly is that the hackers will continue their campaign in the next months.

“The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly’s operations.” states Symantec.

Pierluigi Paganini

(Security Affairs – Suckfly group, cyber espionage)