Materials research organizations in Asia have been targeted by a previously unknown threat actor using a distinct set of tools.
Symantec, by Broadcom Software, is tracking the cluster under the moniker Clasiopa. The origins of the hacking group and its affiliations are currently unknown, but there are hints that suggest the adversary could have ties to India.
This includes references to “SAPTARISHI-ATHARVAN-101” in a custom backdoor and the use of the password “iloveindea1998^_^” for a ZIP archive.
It’s worth noting that Saptarishi, meaning “Seven sages” in Sanskrit, refers to a group of seers who are revered in Hindu literature. Atharvan was an ancient Hindu priest and is believed to have co-authored one of the four Vedas, a collection of religious scriptures in Hinduism.
“While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue,” Symantec said in a report shared with The Hacker News.
Also unclear is the exact means of initial access, although it’s suspected that the cyber incursions take advantage of brute-force attacks on internet-facing servers.
Some of the key hallmarks of the intrusions involve clearing system monitor (Sysmon) and event logs as well as the deployment of the multiple backdoors, such as Atharvan and a modified version of the open source Lilith RAT, to gather and exfiltrate sensitive information.
Atharvan is further capable of contacting a hard-coded command-and-control (C&C) server to retrieve files and run arbitrary executables on the infected host.
“The hard-coded C&C addresses seen in one of the samples analyzed to date was for Amazon AWS South Korea (Seoul) region, which is not a common location for C&C infrastructure,” Symantec pointed out.
Judging by its tools and tactics, the group’s chief motive appears to be achieving persistent access to victim machines without being detected and carrying out information theft.
The disclosure comes a day after the cybersecurity firm took the wraps off another hitherto undocumented threat group known as Hydrochasma that has been observed targeting shipping companies and medical laboratories in Asia.