India's new network attack, the code is related to China!

After a year and a half of tracking analysis, China Net Security Enterprise found a new attack on the Pakistani government and military institutions from India's APT (advanced continuous network attack). Although the APT organization is from India, its code is "Confucius".

China Cyber ​​Security Enterprise Antian Technology Group told the Global Times reporter on the 12th that the organization was from India, and its attacks could be traced back to 2013. Energy and other fields to carry out attacks for the purpose of stealing sensitive data.

Interestingly, international security manufacturers name the organization "Confucius". Li Baisong, deputy chief engineer of Antian Technology Group, said that the attack organization used the word "Confucius Says" in the page of the attack organization to disguise the attack instruction and the return address, which is "Confucius", which is named "Confucius". "This shows that the attacker has also studied Chinese culture in the process of continuing to attack China .'Confucius' is good at using fish fork -type fishing mail, pudding attacks, and fishing websites. attack."

The APT organization takes the core information of political and economic interests, stealing the target, or destroying the key infrastructure of the other party. The impact of its attack is not limited to the virtual network world, but the physical world will also be affected.

According to reports, since 2021, Antian CERT (Safety Research and Emergency Treatment Center) found a new round of tracking and sorting off attacks from the direction of South Asia, and found that the "Confucius" organization against the Pakistani government and military institutions' attacks Activity. In this attack, the attacker mainly delivered fish fork -type fishing mail to the target in the name of the Pakistani government staff. Most of the content of fishing mail was related to the Pakistani government. Documents, thereby implanting the open source Trojan Quasarrat, self -developed C ++ backdoor Trojan, C#stealing Trojan and JScript downloader, and finally stealing information.

"During the follow -up process, we successively captured a sample file that organizations' attacks on Pakistan. For example, in June 2021, the malicious RTF document related to the content of the Pakistani army victim list was used to attack; -19 A macro file of the vaccine vaccination status table and other related content to attack. "Li Baisong said that the attacker embeds different types of malicious links in the text of the fishing email and the attachment PDF file. Carefully designed the text and PDF files to be deceived, so as to click on malicious links to download documents with malicious macro code.

In addition, An Tian comprehensively analyzed the "Confucius" organization's "Confucius" organization's malicious shortcut sample, and found that it shared tools and code sharing with another Indian APT organization "Sidewinder". Li Baisong said, "The situation of sharing code and tools between major APT organizations in India has been common. Previously, foreign security manufacturers also disclosed that the" Confucius' organization, the 'Urpage' organization, and the 'White Elephant' organization have shared code and sharing. The relationship between assets. "

At present, the attacking activity has attracted the attention of relevant government departments in Pakistan. Among them, the Pakistan National Telecom and Information Technology Security Commission (NTISB) has issued a national network threat warning, saying that attackers are sending to government officials and the public that the false network imitating the Pakistan Prime Minister's office Fishing email, so government officials and the public are required to maintain alertness and do not provide any information through email or social media links.

Global Times-Global Network Reporter Guo Yuandan

- END -