A hacking group with ties to the Indian military adopted a pair of mobile surveillance tools to spy on geopolitical targets in Pakistan and Kashmir amid persistent regional tensions between the nuclear-armed neighbors, according to a report from cybersecurity company, Lookout Inc.
The group is known for commandeering legitimate web services in South Asia and embedding surveillance tools or malware inside these apps and services to conduct espionage. Since 2017, and as recently as December, the hackers have relied on spyware to target Pakistani military officials, the country’s top nuclear regulator and Indian election officials in the disputed state of Kashmir, according to the report released Thursday from San Francisco-based Lookout.
The campaign appears to be just the latest example of hackers targeting sensitive security targets with social engineering tactics — luring victims to download malicious files disguised as benign applications. What’s unique about attacks by the group, dubbed Confucius, is the extent to which its operators go to veil their efforts, experts say.
Using knock-off web applications disguised as Google security tools and popular regional chat and dating applications, Confucius managed to access 156 victims’ devices in a trove of data recently discovered by Lookout’s research team. The files and related logs were found by Lookout researchers in unsecured servers used by the attack group, according to the report. Most of the users who recently accessed those servers were based in Northern India.
Once the attackers penetrate a device, they scrape it for data, including call logs, contacts, geolocation, images and voice notes. In some cases, the hackers took screen shots of the devices and recorded phone calls. In at least one instance, intruders got inside the device of a Pakistani Air Force service member and viewed a contact list filled with other Air Force officials, said Apurva Kumar, Lookout’s staff security intelligence engineer.
“While their technical tools and malwares might not be that advanced, the Confucius threat actor invests human time to gain trust from their targets,” said Daniel Lunghi, threat researcher at the cybersecurity firm, Trend Micro Inc. “And in certain sensitive fields where people are more cautious, it might be what makes the difference.”
In two cases, researchers discovered that hackers stole the contents of WhatsApp chat conversations from 2017 and 2018 between officials at the Pakistan Nuclear Regulatory Authority, Pakistan Atomic Energy Commission and unknown third-parties. Then in April 2019, in the midst of India’s latest national election, the attackers burrowed into the device of an election official in the Pulwama region of Kashmir, where months earlier an Indian security convoy was attacked by a Pakistan-based Islamic terrorist in a deadly explosion.
Kumar, of Lookout, said she couldn’t disclose the details of the stolen data.
Her research indicates the espionage campaign ramped up in 2018 after unknown hackers breached the commercial surveillance-ware provider, Retina-X Studios. Hornbill, one of the malware tools used by the attackers, shares code similarities with Retina-X’s Mobile Spy products. Another piece of malicious software called Sunbird, which is capable of remotely commandeering a user’s device, appears to be rooted in code for a stalkerware service called, BuzzOutLoud, based in India.