India has been targeted by a series of cyber attacks orchestrated by the hacker groups Transparent Tribe and Icepeony, operating from Pakistan and China with a focus on key government structures and organizations.
Transparent Tribe utilized the malicious Elizarat and the newly developed Apolostealer tool. According to a recent report by Check Point, Elizarat is known for utilizing popular Cloud services such as Telegram, Google Drive, and Slack for covert management and data transfer. This group, also known as APT36 and Datebug, has been active since 2013, targeting systems based on Windows, Android, and Linux.
Elizarat was first identified in July 2023 during attacks on Indian government agencies. Recent attacks have been directed towards Linux deviations following the introduction of the MAYA OS by the Indian government, which is based on Ubuntu. The malicious payloads are distributed through control panels (CPL), potentially through phishing. Between December 2023 and August 2024, three campaigns were conducted using virtual servers and cloud services for command and control.
The new Apolostealer tool is designed to collect and transmit files of various formats, such as DOC, XLS, and ZIP, to a remote server. In January 2024, Transparent Tribe also introduced the component-thropper for Elizarat and the Connectx module, which scans for files on external devices.
ICEPEony, a previously unknown group as noted by Nao_Sec, targets state institutions and universities in India, Mauritius, and Vietnam. Their attacks typically begin with SQL injections and progress to the installation of web shells and backdoors, with a primary focus on stealing accounting data.
In their arsenal, ICEPEony possesses the Icecache tool, which targets Microsoft IIS servers, and the IceEvent Backdoor, capable of file downloads, uploads, and command execution. Notably, these cybercriminals operate nearly six days a week, avoiding activity on Fridays and Saturdays, underscoring their organized and professional approach to attacks.
India finds itself at a critical juncture of highly sophisticated cyber attacks, where cloud services are weaponized for espionage. In this evolving landscape, cybersecurity is no longer just a precautionary measure but an essential element in safeguarding critical infrastructure.