Beginning 7 March 2024, EclecticIQ analysts identified an uncategorized threat actor that utilized a modified version of the open-source information stealer HackBrowserData[1] to target Indian government entities and energy sector. The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force. The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware's execution. EclecticIQ analysts dubbed the intrusion “Operation FlightNight” because each of the attacker-operated Slack channels was named “FlightNight.”[2]
Analysts identified that multiple government entities in India have been targeted, including agencies responsible for electronic communications, IT governance, and national defense. Moreover, the actor targeted private Indian energy companies, exfiltrated financial documents, personal details of employees, details about drilling activities in oil and gas.
In total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government's infrastructure.
Behavioral similarities in the malware and the delivery technique's metadata strongly indicate a connection with an attack reported on 17 January 2024.[3] EclecticIQ analysts assess with high confidence that the motive behind these actions is very likely cyber espionage. EclecticIQ shared its findings with Indian authorities to assist in identifying the victims and helping the Incident Response process.
Link to full report: IR-24-090-001_NightFlight.pdf
[1] ᴍᴏᴏɴD4ʀᴋ, “HackBrowserData.” Apr. 28, 2023. Accessed: Apr. 28, 2023. [Online]. Available: https://github.com/moonD4rk/HackBrowserData
[2] https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign
[3] “GoStealer: Golang-based credential stealer targets Indian Airforce Officials. | Dev | Disassemble | Debug.” Accessed: Mar. 13, 2024. [Online]. Available: https://xelemental.github.io/Golang-based-credential-stealer-targets-Indian-Airforce-Officials/
Comments