Experts from ECLECTICIQ have discovered a new spy campaign targeting state agencies and the energy industry in India. The criminals utilized a modified version of open software to steal data using HackBrowserdata, which can collect browsing history, cookies, and accounting data. The hackers managed to extract 8.81 GB of data, posing a threat to the Indian government’s infrastructure.
The attackers employed a phishing PDF document disguised as an invitation letter from the Indian Air Force to spy on their victims. The PDF file was likely obtained during a previous hack and contained a malicious software download link. This software enabled the hackers to access victim’s devices and extract internal documents, emails, and cache data from web browsers via Slack channels.
ECLECTICIQ analysts have named this campaign “Operation Flightnight” due to the fact that each Slack channel controlled by the attackers was labeled Flightnight. The malware used in the attack specifically targeted Microsoft Office documents, PDFs, and SQL databases.
The victims of this campaign include Indian state agencies responsible for electronic communications, IT management, and national defense. Private energy companies have also been affected, with hackers stealing financial documents, employee personal data, and information related to oil and gas drilling.
While there is no direct evidence linking a specific hacker group to the attacks, the similarities in the malware and delivery methods strongly suggest a connection to another attack on the Indian Air Force using Gostealer. It is believed that both campaigns are the work of the same threat actor, highlighting the effectiveness of using open source tools for cyber espionage.