The Hacker Group Suckfly at War with Corporate India

A cyber espionage group attacked an Indian IT firm that provides support to India’s largest stock exchange. It’s one of many attacks in the recent past.

For 24 months now, several Indian government and private organisations have been victims of highly-targeted and sustained cyberattacks by Suckfly.

Cyber security firm Symantec has been tracking Suckfly since April 2014 and believes it is a Chinese cyber-espionage group. According to Symantec, Suckfly uses stolen digital certificates to breach the internal networks of Indian organisations.

While Symantec has declined to name any of the victims, it says the high-profile targets include one of India’s largest financial institutions, an e-commerce company and its primary shipping vendor, a leading Indian IT company, two government organisations, and an American health care provider’s Indian business unit.

So far, the highest infection rate has been at a government organisation responsible for implementing network software across various ministries and departments of the Indian central government.

Symantec’s investigation report says Suckfly uses custom malware called Backdoor.Nidiran to orchestrate the attacks. While Suckfly had used the same backdoor in its previous campaigns in other countries, in India the post-infection activity was significantly higher.

“We should be aware that this attack isn’t yet over. Suckfly has been
targeting organisations since at least May 2014, and it very likely
continues to have access to governmental and corporate servers in India
thanks to the Nidiran backdoor,” says Pranesh Prakash, Policy Director, Centre for Internet and Society.

He added that, “Depending on what access Suckfly got, the damage could be anything from
them having conducted fraudulent financial transactions to obtaining
classified governmental secrets.”

Pranesh Prakash, Policy Director, Centre for Internet and Society

It is as yet unclear what data has been exfiltrated by Suckfly, but the fact that no organisations have reported this to their customers shows that the current laws with regard to data security and data breaches are inadequate.

In a detailed email exchange with Bloomberg Quint, Symantec’s security experts describe how Suckfly operates, its motives, and what Indian entities can do to protect themselves.

Photo used for representational purpose. (Photo: iStockPhoto)

Suckfly’s Modus Operandi

In 2015, between 22 April and 4 May, Suckfly conducted a multistage attack on an Indian e-commerce company.

It first identified a user – an employee of the e-commerce company – to attempt its initial breach into the e-commerce company’s internal network.

Symantec says, “We don’t have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. The target’s job function, corporate email address, information on work-related projects, and publicly accessible personal blog could all be freely found online.’

Suckfly then exploited a vulnerability in the employee’s operating system (Windows) that allowed it to bypass the User Account Control and install the malware. It’s likely that Suckfly used a spear-phishing email to gain entry.

Having entered the employee’s system, Suckfly gained access to the employee’s account credentials and then used them to access the victim’s account and navigate the e-commerce company’s internal corporate network as though it were the employee.

Suckfly’s final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure.

Weekends Off

The attack took place over 13 days, but Symantec discovered that Suckfly was active only Monday to Friday. There was no activity from the group on weekends. This could be because the attackers’ hacktools are command line driven and can provide insight into when operators are behind keyboards actively working.

Suckfly’s Motives?

According to Symantec, “Suckfly targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of India’s largest financial organizations, and an IT firm that provides support for India’s largest stock exchange. All of these targets are large corporations that play a major role in India’s economy. By targeting all of these organisations together, Suckfly could have had a much larger impact on India and its economy. While we don’t know the motivations behind the attacks, the targeted commercial organisations, along with the targeted government organisations, may point in this direction. Symantec’s research shows that Suckfly is well-equipped to carry out targeted attacks for years while staying off the radar of security organisations.”

Symantec refused to name the victims and when contacted, the National Stock Exchange (NSE) said its systems were secure and that it had not heard of any such attack on any of its tech vendors.

In the last two years, from 2013 to 2015, the total number of reported cyber breaches worldwide have increased 25%. India is amongst the most vulnerable – ranking third on the list of countries that have faced financial intrusion.

In the last two years, from 2013 to 2015, the total number of reported cyberbreaches worldwide have increased 25%. (Photo: iStock)

Smokescreen is a cybersecurity firm and CEO Sahir Hidayatullah claims virtually every large company in India has been compromised to varying degrees already.

Sahir Hidayatullah, CEO, SmokescreenStrategic economic advantage and intellectual property theft are the primary motivators for nation state attackers targeting energy, pharma, and manufacturing. Attacks against the financial sector are more commonly done by financially-motivated cybercriminals, however, nation state attackers have an interest here as well – being deeply embedded into critical systems affords opportunities for both mass data collection as well as the ability to cripple financial systems if required. All major governments aspire to have this offensive capability and are in various stages of having developed it already.

Over the last few months, our decoy detection network in India has seen an up-tick in targeted attacks specifically aimed at companies in banking, energy, pharmaceuticals and manufacturing. Manufacturing has seen the single largest increase in targeted attempts to compromise infrastructure. We have seen a large increase in ‘malware-less’ attacks including the use of stolen credentials on VPN systems.

More worrisome is that over the last year, we have conducted breach-readiness assessments for many of the large names in these verticals, and in every instance, the internal controls were unable to detect and respond to our simulated attacks in time. According to our assessment, none of them are prepared to withstand a targeted attack.

According to a 2015 survey conducted by PWC spanning 250 Indian companies, 72% of the respondents claimed they faced some sort of cyberattack over the last year. 63% claimed intrusions lead to financial losses and 55% claimed there was loss of sensitive information. But the worrying number is this – 78% have no cyber incident response plan. That’s good news for Suckfly and its comrades.