California based Cybersecurity company discovers spyware related to India-Pak Conflict
The group is said to have ties to the Indian military
Targets include Pakistan’s military, nuclear authorities, Indian election officials in Kashmir
A California based cybersecurity company, Lookout Inc. in its latest research report has revealed two novel Android surveillanceware – Hornbill and SunBird.
The team of researchers suggested these were used as surveillance tools by the advanced persistent threat group (APT) Confucius, which first appeared in 2013 as a state-sponsored, pro-India actor primarily pursuing Pakistani and other South Asian targets.
The group is said to have ties to the Indian military and has adopted a pair of mobile surveillance tools to spy on geopolitical targets in Pakistan and Kashmir amid persistent regional tensions, the Bloomberg reported.
The research revealed that the targets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir.
Both spyware applications, HornBill and SunBird, have sophisticated capabilities to exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.
Once the attackers penetrate a device, they scrape it for data, including call logs, contacts, geolocation, images and voice notes.
In some cases, the hackers took screen shots of the devices and recorded phone calls.
In at least one instance, intruders got inside the device of a Pakistani Air Force service member and viewed a contact list filled with other Air Force officials, quoting Apurva Kumar, Lookout’s staff security intelligence engineer, Bloomberg reported.
Additional exfiltrated data from late 2018 and early 2019 indicated that SunBird was being used to monitor Booth Level Officers responsible for field-level information regarding electoral rolls in the Pulwama district of Kashmir.
This time and location is significant as Pulwama suffered a suicide bombing attack in February 2019, which increased tensions between India and Pakistan.
The start date of active monitoring of this target on C2 servers coincided with the start of the Indian general elections held in April 2019, the research report revealed.
The operators behind Hornbill are interested in a user’s WhatsApp communications. It uses a unique set of server paths to communicate to its server.
These are listed below along with what action Hornbill takes when sending HTTP POST requests to each.
In addition to that, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services. The exploitation of Android’s accessibility services in this manner is a trend we are observing frequently in Android surveillanceware.
In two cases, researchers discovered that hackers stole the contents of WhatsApp chat conversations from 2017 and 2018 between officials at the Pakistan Nuclear Regulatory Authority, Pakistan Atomic Energy Commission and unknown third-parties.
Then in April 2019, in the midst of India’s latest national election, the attackers burrowed into the device of an election official in the Pulwama region of Kashmir, where months earlier an Indian security convoy was attacked by a Pakistan-based Islamic terrorist in a deadly explosion.
The Lookout researchers found out that within the exfiltrated data, one particular victim was an individual was using WhatsApp to correspond with someone applying for a position at the Pakistan Nuclear Regulatory Authority in 2017.
In 2018, messages were uncovered from someone applying for a position at the Pakistan Atomic Energy Commission
The newest Hornbill sample was identified by Lookout’s app analysis engine as recently as December 2020, suggesting the malware may still be active today.
“We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes. To the best of our knowledge the apps described in this article were never distributed through Google Play,” they said.
The researchers claimed that the users of Lookout security apps are protected from these threats.