March 28, 2024 at 11:12AM
A cyberespionage campaign, dubbed Operation FlightNight, targeted government entities and energy organizations in India using phishing emails masquerading as Indian Air Force invitation letters. The malware exfiltrated data from victim machines, including financial documents and employee information. The attackers modified an open-source information stealer and utilized Slack channels for communication and data exfiltration.
From the meeting notes, the key takeaways are:
1. Multiple government entities and private energy organizations in India have been targeted in a cyberespionage campaign using an open source information stealer for data exfiltration.
2. The campaign, named Operation FlightNight, involved phishing emails masquerading as an invitation letter from the Indian Air Force and targeted Indian government entities, including agencies for electronic communications, IT governance, and national defense.
3. The phishing emails contained an ISO file containing malware and a shortcut file (LNK) posing as the PDF invitation letter. Once opened, it executed the hidden malware while displaying a decoy document.
4. The malware used in the campaign is a modified version of the open source information stealer HackBrowserData and exfiltrated documents and web browser data from the victim’s machine, including login credentials, cookies, and browsing history.
5. The threat actor also targeted Indian energy companies to steal financial documents, employee information, and data about drilling activities in oil and gas, exfiltrating a total of 8.81 GB of data.
6. There are similarities between Operation FlightNight and a previous GoStealer campaign targeting Indian Air Force officials with an information stealer written in Golang, highlighting a simple yet effective approach by threat actors to use open-source tools for cyber espionage.
Additionally, related issues were highlighted, including the sale of data of 750 million Indian mobile subscribers on hacker forums, the discovery of a stealthy cyberespionage campaign remaining undetected for two years, and Chinese cyberspies targeting ASEAN entities.