August 10, 2016
A group of state-sponsored hackers supposedly operating out of India, based on current evidence, have been targeting thousands of individuals and organizations around the globe for almost six years.
According to evidence gathered by infosec researchers from the Forcepoint Security Labs, the group, which they dubbed Monsoon during the initial phase of their research, turned out to be the same APT also known under three different names, discovered by three other companies.
Monsoon is actually the Patchwork APT, as named by Cymmetria last month; Dropping Elephant, as called by Kaspersky Lab last month; and Operation Hangover, the codename it received from Blue Coat in 2013.
Monsoon is connected to Operation Hangover attacks
The last APT name is a connection that both Cymmetria and Kaspersky failed to make in their initial reports, but Forcepoint says that, after an analysis of the domain names and server infrastructure used in the attacks, it managed to find some overlaps between their Monsoon report and Operation Hangover.
Looking deeper at the collected data, Forcepoint identified not only an infrastructure overlap but also the usage of similar TTPs (Techniques, Tactics, and Procedures) and the targeting of same individuals.
Monsoon, Patchwork, Dropping Elephant, Operation Hangover, or whatever you want to call it, seems to have operated in cycles, with the latest one starting back to December 2015, the same start date reported by Forcepoint, Kasperksy, and Cymmetria in all their research.
Spear-phishing campaigns revolved around military topics
The name of the malware detected in these attacks differs from company to company, but the crooks used spear-phishing emails to deliver malicious Office files, which, in turn, infected the victims, mainly with a backdoor trojan.
The theme of the spear-phishing emails was the same in most cases, revolving around current newsworthy topics, but most of the times around the Chinese military as well as the military and defense fields in general.