TLDR:

• EclecticIQ researchers uncovered cyberespionage operation targeting Indian government entities and energy companies.
• Attackers used modified HackBrowserData to steal sensitive data and exfiltrate it through Slack channels named “FlightNight.”

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed “Operation FlightNight” targeting Indian government entities and energy companies. The attackers, likely state-sponsored, leveraged a modified version of the open-source information stealer HackBrowserData to steal sensitive data. The attackers successfully infiltrated multiple government agencies responsible for communication, IT, and national defense, as well as private energy companies. They used a trick involving emails disguised as invitations from the Indian Air Force to install malware. The stolen data was exfiltrated through Slack channels named “FlightNight,” and researchers were able to access the stolen data and gather information about the victims. Recommendations for mitigation include disabling browser features, using two-factor authentication, and being cautious with ISO files.

Full Article:

On March 29, 2024, EclecticIQ cybersecurity researchers made a significant discovery in the realm of cyberespionage. Dubbed “Operation FlightNight,” the operation targeted Indian government entities and energy companies. The attackers successfully infiltrated multiple government agencies responsible for communication, IT, and national defense, as well as private energy companies. The attackers leveraged a modified version of the open-source information stealer HackBrowserData to steal sensitive data. One key element of the operation was the use of Slack channels as exfiltration points, which were named “FlightNight,” giving the operation its name.

Through their investigation, EclecticIQ researchers found that the attackers used a clever trick to get victims to install malware. They sent emails disguised as invitations from the Indian Air Force, containing an ISO file that appeared to be a harmless archive. However, when victims opened the ISO file, it actually launched a shortcut file (LNK) disguised as a PDF document. Clicking the LNK file unknowingly activated the malware, which then exfiltrated confidential documents, private emails, and cached web browser data.

The stolen data included documents, emails, and browsing history, which the attackers uploaded to Slack channels to avoid detection. By modifying an existing tool called HackBrowserData, the attackers added functionality for document theft and communication through Slack. The code analysis confirmed these modifications, as well as the specific naming scheme for temporary files and targeted file types.

One key mistake made by the attackers was storing the keys needed to access the Slack channels directly in the malware code. EclecticIQ researchers were able to access these channels, gather information about the victims, file paths, timestamps, and download URLs for stolen data. The researchers also gained insights into the attacker’s setup, including details about the Slack team and bots used for communication.

For mitigation and recommendations, EclecticIQ suggests disabling browser features, using two-factor authentication, being cautious with ISO files, and monitoring data sent to unknown Slack channels. By staying updated on cybersecurity news and following best practices, organizations can better protect themselves from similar cyberespionage operations.