Cybersécurité dans l'espace: comment Thales relève les défis à venir
Alias: APT-C-09, Chinastrats, Dropping Elephant, Monsoon, Operation Hangover, Patchwork, Quilted Tiger, Sarit
ATK11 (aka: Patchwork) is a cyber espionage group active since at least 2010. One of its specificity is the use of code copy-pasted from multiple online forums combined with high quality social engineering. It started by the Operation Hangover which goal seemed to be the surveillance of targets of national security interests for India such as Pakistan or the Nagaland movement. This group was involved in the MONSOON campaign targeting multiple Indian neighbour in various sectors.
Patchwork used actuality/sector related themes in lure documents exploiting known vulnerabilities in Microsoft Office software send via email with links to websites customized for the intended target. The group is continuously adding new exploit (not 0-days) in their arsenal.
Patchwork uses different web services as C2 channel like RSS feeds, Github, forums, blogs or dynamic DNS hosts. These channels can be difficult to detect in legitimate traffic.
Some RTF files used by this group was linked with C2 servers which were compromised and defanced by "R00t D3str0y3r" from "Indian Cyber Gangsters" or "lulzsec india" which is an anti-Pakistan group. By following the alias "R00t D3str0y3r", Fortinet managed to get his identity in their article of April 2017. Nevertheless, Fortinet can't says if "R00t D3str0y3r" is really linked to the BADNEWS malware or if it is a coincidence.
Multiple articles showed similarities between Patchwork behaviors and other groups': Confucius, Bahamut, Donot Team or BITTER APT, but there is no definitive conclusion as to whether these groups are the same or not.
REFERENCES