A new report published by Antiy Labs, one of China’s cybersecurity companies, disclosed an active hacker team whose members are based in Delhi and has been launching cyberattacks against the government agencies and defence departments in China and Pakistan, Global Times reported.
The report conducted a comprehensive analysis of the cyberattacks launched by the organisation called You Xiang (baby elephant in English) in South Asia, revealing its target, technology and equipment, and exposing the attackers who wear “invisible clothes” and hide behind screens.
The company’s vice chief engineer, Li Bosong, told the Global Times that they first detected “baby elephant” activities in 2017, when a number of large-scale targeted cyberattacks on the government, military and defence departments of South Asian countries were found.
According to the analysis of their activities, it was found that the group is suspected to be from India, and is not the same as another hacker group from India named “white elephant.”
The organisation had its own set of relatively independent attack resources and tools, but the attack capability was relatively primary at that time. It might be a newly established attack team with immature technical capabilities. “That’s why we’ve named this new, advanced threat organisation ‘baby elephant,’” Li said, as per the report.
Four years since, the “baby elephant” is on the rampage, expanding their targets. “Since 2017, the number of ‘baby elephant’ attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia,” Li said. “In 2021, the group began targeted attacks on Chinese institutions for intelligence theft.”
The attacks detected by Antiy Labs include setting up phishing websites, attacking mobile phones with malicious Android applications, and Trojans written in languages such as Python to steal various documents, browser cache passwords and other host system environment information from computers, the report said.
For example, the “baby elephant” used to disguise itself as the mail system of the Nepalese Army, police, and government, including Nepal’s Ministry of Foreign Affairs, the Ministry of National Defence, and the Prime Minister’s office to launch targeted attacks to obtain email accounts to carry out subsequent attacks.
It also pretended to be a polling app for India-Nepal territorial disputes using malicious Android applications. After the victim installs and opens the malicious Android application, the application will ask for system permissions from users. If the permissions are granted, it will monitor the victim’s mobile phone, Global Times reported.
The highlight from the report is that the location of those hackers was exposed when the group uploaded their Trojan horses to public security resources to test the ability of the Trojan horses to escape anti-virus software. Resources retrieval showed at least one sample uploader was from Delhi, India. The hacker had uploaded eight test malicious files from November 23 to November 24, 2020, the report said. Those samples shared a high degree of similarity in code content with those from the “baby elephant.”
Judging from previous activities, some hacking organisations from India are not very concealed. One is because of its imperfect attacking capability, but more importantly, it reflects the have-nothing-to-fear mindset of those attackers. The physical location of one attacker most likely represents the location of the entire hacking organization, Li said.
“Despite constantly diversifying attacking methods and more abundant functions of the malicious files, attacks could still be traced to the “baby elephant” based on its targets, tactics and decoys and Trojan homology,” Li said.
The targets of the attacks overlap, such as those in Nepal, Pakistan, and Afghanistan. Techniques and tactics that they used are similar to the behaviour of the “baby elephant” in the early stage, including malicious shortcuts, malicious HTA scripts and Python Trojan horses, according to Li.
Li also pointed out the similarity of their domain names, which all tend to imitate the official domain names of government organs and state-owned enterprises in Pakistan, Nepal and Sri Lanka. They also tended to adopt the dynamic domain names under the US network service provider No-IP, such as hopto.org and myftp.org, the report added.
Multiple signs showed that the “baby elephant” has already become one of the most active and mature cyberattack organisations that threaten the cybersecurity of South Asia and Asia-Pacific.
It is also likely to become the main attack group in South Asia in the future, Li said, calling for attention to be paid on the “baby elephant.”
Victim countries attacked by the “baby elephant” are usually weak economically, in digital maintenance and cybersecurity capabilities. But like any other country, they enjoy the right to defend their sovereignty, security and interests, Li pointed out.
In a previous interview, Antiy Labs told the Global Times that since March, they have detected several phishing activities targeting the government, defence and military units, as well as state-owned enterprises in China, Pakistan, and Nepal. The organisation behind the attacks is from India and its activities can be traced to as early as April 2019.
Global Times reported that the material obtained from several of China’s leading cybersecurity companies have further revealed a sophisticated network: top hackers from South Asia, mainly from India, have constantly attacked defence and military units as well as state-owned enterprises in China, Nepal and Pakistan in the past few years, and such attacks are on the rise under new disguises of international trending topics.
(Sanjeev Sharma can be reached at Sanjeev.firstname.lastname@example.org)