On the afternoon of 18 February, a retired army officer received a seemingly innocuous mail. Sent by a serving and senior member of the army, and coming from a respectable ‘gov.in’ address, it was an invitation to a lunch in Delhi. The message was brief, even by military standards, with the details enclosed in an attachment linked within the email.
Unbeknownst to the retired officer, the link was a veritable Pandora’s box. When clicked, it downloaded an app containing an assortment of circulars and news related to the Indian army. That, however, was just an eyewash. Its true purpose was to unleash malware, which would course through the victim’s computer or phone, stealing everything from WhatsApp chats to SMSes and media files. This malware, if left unchecked, could stay on a target’s system indefinitely, constantly pilfering sensitive data.
According to multiple sources working closely with one of the cyber incident response teams attached to the Ministry of Defence, the data was being transmitted to a command and control centre in the Netherlands—the source of the phishing attack. They told The Ken that hackers made use of the country’s many ‘bulletproof hosting’ services, which essentially allow hackers to securely host malicious content which can be used to carry out cyber attacks. These servers, which were paid for in Bitcoin, were accessed from Karachi, Pakistan.
While media reports have emerged emerged Hindustan Times Ex-defence personnel hit by phishing attack Read more , claiming that only a few dozen retired army personnel were targeted, The Ken has learnt that hundreds of Indian army personnel—both serving and former—fell prey to the email. “The data copied included personal images, audio and call recordings, and PDF documents pertaining to troop movements,” say the sources quoted above. If the claim about leaked troop movement documents is true, it indicates that serving personnel were indeed targeted. The Ken put this claim to the Ministry of Defence, but received no response.
Phishing attacks—using fraudulent or manipulated messages to steal information—are nothing new. These attacks have found increased utility in espionage, with a number of countries using hackers to ferret out sensitive information from both rivals and allies.
In this case, hackers first compromised the email credentials of a serving officer and used it to send malware-laden emails to others. Coming from a high-ranked official and from an official ID, few suspected anything was amiss.