top of page

COSMIC LEOPARD & UTA0137 ESPIONAGE CAMPAIGNS TARGET INDIAN GOVERNMENT WITH SOPHISTICATED MALWARE AND VELVET ANT'S 3-YEAR CYBER ESPIONAGE ON EAST ASIAN GROUP VIA F5 BIG-IP, PLUGX MALWARE UNVEILED

June 13-19, 2024 | Issue 24 - PACOM and CYBER

Samuel Pearson, Chloe Woodbine, Mrinmoy Routh, Prim Thanchanok Kanlayanarak, Siddhesh Shimpukade, Janthe Van Schaik

Alya Fathia Fitri, Editor; Evan Beachler, Senior Editor


Government Defense and Security Agencies Dealing with Cyber Warfare[1]


Date: June 14, 2024

Location: India

Parties involved: India; Indian government; Indian government officials; Indian defense and security agencies; Indian defense and intelligence officials; Indian technology sectors; Indian cybersecurity tracking team, Cisco Talos Intelligence Group; Indian cybersecurity firm, Volexity; Pakistan; Pakistani Inter-Services Intelligence (ISI); Pakistani government and Pakistan-based threat actor, Cosmic Leopard; Pakistan-based threat actor, UTA0137; Pakistan-based threat actor Transparent Tribe; users of BOSS Linux Distribution; developers of BOSS Linux; online communication platform Discord

The event: Cosmic Leopard and UTA0137 launched ongoing espionage campaigns using malware and social engineering tactics targeting Indian government entities. Cosmic Leopard operates under Operation Celestial Force and UTA0137, active since at least 2018, targeting individuals in the Indian defense, government, and technology sectors by utilizing Android and Windows malware and exploiting specific vulnerabilities in Linux systems. Researchers at Cisco Talos identified Cosmic Leopard, linked to the Pakistan-linked group Transparent Tribe, using GravityRAT and HeavyLift malware. UTA0137 employs the Go-based ‘Disgomoji’ malware and exploits the DirtyPipe vulnerability to target BOSS 9 systems while using Discord to control the malware in the target network, specifically tailored for Indian government entities using a custom Linux distribution. Both campaigns demonstrate advanced strategies and a high degree of success, indicating a sophisticated and persistent threat to India's national security.[2] 

Analysis & Implications:

  • UTA0137 will very likely continue to exploit India’s inadequate network monitoring and firewall capabilities. UTA0137’s espionage will likely highlight specific vulnerabilities in the Indian government networks, such as network monitoring and firewall capabilities. The Indian government will likely renew efforts to improve cybersecurity through investment in network monitoring, firewalls, and anti-phishing training programs for government employees, very likely preventing future attacks against its national security. The Indian government will likely invest in advanced network monitoring tools and enhanced firewall systems against cyberattacks.

  • Threat actors likely require financial support from the Pakistani government, providing stolen information in exchange for operating unique tools such as GravityRAT and ‘Disgomoji.’ Pakistan’s intelligence services will likely use the information collected through these attacks to plan further intelligence operations against Indian government officials, primarily targeting Indian intelligence and military officials. India will very likely sponsor non-governmental agencies to retaliate while maintaining plausible deniability with their cyber-espionage capabilities, very likely avoiding tension escalation with Pakistan. India will likely respond with its cyber-espionage efforts, aiming to gather intelligence on Pakistan’s activities and to deter future cyber-attacks. 

  • High-ranking Indian officials Indian will likely be the target of social engineering intelligence operations. Pakistani threat actors will very likely employ a variety of previously successful tactics, such as honey trap operations. The successful execution of social engineering operations against Indian personnel will very likely lead to the extraction of sensitive defense-related information, such as personal information of high-profile individuals and military plans. India will very likely strengthen counterintelligence measures, including improved vetting processes for personnel with access to sensitive information and comprehensive training programs to educate personnel about the tactics used in social engineering attacks.


Date: June 17, 2024

Location: East Asia

Parties involved: Chinese threat actor Velvet Ant; Chinese cyber-espionage groups; cyber threat actors; public sector organizations; private sector organizations; Israeli cybersecurity company Sygnia; American technology company F5; cybersecurity professionals

The event: Velvet Ant launched cyber espionage campaigns against an East Asian organization for three years using F5 BIG-IP devices, which the threat actor used as an internal Command-and-Control (C&C) to access sensitive financial and customer information. Velvet Ant allegedly exploited access points in the company’s network infrastructure using a remote access Trojan called PlugX. The actor reportedly deployed the PlugX malware twice, first on the network’s C&C and then on older servers using a reverse Secure Shell (SSH) tunnel. Velvet Ant routed stolen data through the network’s servers to conceal the unusual network traffic and remained active in the compromised network despite Sygnia attempting to remove them.[3]

Analysis & Implications:

  • Velvet Ant will likely continue targeting companies in the Asia-Pacific region, with a roughly even chance of seeking information in support of China’s foreign policy and economic goals. Public and private sector organizations in this region will very likely face similar attacks as Chinese cyber-espionage groups continue to operate due to their ongoing success. Since Velvet Ant utilizes PlugX, a malware used by multiple Chinese threat actors, Velvet Ant will very likely target organizations with compromised systems by improving its techniques and blending in with legitimate network traffic to avoid future detection. Velvet Ant will almost certainly be able to launch prolonged attacks by exploiting Dynamic Link Library (DLL) side-loading techniques, very likely weakening the target’s system integrity and requiring significant resources to recover from the attack.

  • Velvet Ant will likely identify future targets for espionage operations using the information collected from the victim’s network. Velvet Ant will very likely use stolen financial information and sensitive data like IP addresses, personnel information, and phone numbers to identify targets of interest and begin planning social engineering attacks against these organizations. Customers or clients of the target organization will likely face espionage attacks such as impersonation of trusted companies, phishing attempts, and waterhole campaigns.

  • Chinese cyber-espionage groups like Velvet Ant will very likely continue to target networked devices connected to the internet to maximize the number of exploited devices by breaching a single internet connection. Systems with an unprotected connection will very likely offer Velvet Ant and other groups a shortcut into a computer network, almost certainly without requiring sophisticated techniques or knowledge. Exploiting vulnerable antivirus detection connections will likely enable threat actors to remain undetected while routing stolen data through the target network’s servers.


OPTION 2

Are you a threat, security, investigative, intelligence, or operational professional? Do you need to stay ahead of the latest global threats? Then you need to subscribe to the Counter Threat Center (CTC).


The CTC is the world's leading provider of threat intelligence and knowledge. We provide our subscribers with critical information about the wide range of global threats, so they can detect, deter, and defeat any threat before it can harm those they have been charged to protect.


Sign up for a free trial today and see for yourself how the CTC can help you keep your organization safe.


The CTC is the world's leading provider of threat intelligence and knowledge. The CTC provides its subscribers with critical information about the wide range of global threats. The CTC can help you detect, deter, and defeat any threat before it can harm your organization.


You can sign up for a free trial today to see how the CTC can help you.

 

[1] Cyber warfare by Airman 1st Class Jared Lovett, licensed under Public Domain (Disclaimer: The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement)

[2] Pakistani Threat Actors Caught Targeting Indian Gov Entities, SecurityWeek, June 2024, https://www.securityweek.com/pakistani-threat-actors-caught-targeting-indian-gov-entities/

[3] Hackers use F5 BIG-IP malware to stealthily steal data for years, Bleeping Computer, June 2024, https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/ 

bottom of page