A new report published by Antiy Labs, one of China’s renowned cybersecurity companies, disclosed an active hacker team whose members are based in Delhi and has been launching cyberattacks against government agencies and defense departments in China and Pakistan.
The report conducted a comprehensive analysis of the cyberattacks launched by the organization called You Xiang (baby elephant in English) in South Asia, revealing its target, technology and equipment, and exposing the attackers who wear “invisible clothes” and hide behind screens.
The company’s vice chief engineer, Li Bosong, told the Global Times on Friday that they first detected “baby elephant” activities in 2017, when a number of large-scale targeted cyberattacks on the government, military and defense departments of South Asian countries were found.
According to the analysis of their activities, it was found that the group is suspected to be from India, and is not the same as another hacker group from India named “white elephant.”
The organization had its own set of relatively independent attack resources and tools, but the attack capability was relatively primary at that time. It might be a newly established attack team with immature technical capabilities. “That’s why we’ve named this new, advanced threat organization ‘baby elephant,'” Li said.
Four years since, the “baby elephant” is on the rampage, expanding their targets. “Since 2017, the number of ‘baby elephant’ attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia,” Li said. “In 2021, the group began targeted attacks on Chinese institutions for intelligence theft.”
The attacks detected by Antiy Labs include setting up phishing websites, attacking mobile phones with malicious Android applications, and Trojans written in languages such as Python to steal various documents, browser cache passwords and other host system environment information from computers.
For example, the “baby elephant” used to disguise itself as the mail system of the Nepalese army, police, and government, including Nepal’s Ministry of Foreign Affairs, the Ministry of National Defense, and the Prime Minister’s office to launch targeted attacks to obtain email accounts to carry out subsequent attacks.
It also pretended to be a polling app for India-Nepal territorial disputes using malicious Android applications. After the victim installs and opens the malicious Android application, the application will ask for system permissions from users. If the permissions are granted, it will monitor the victim’s mobile phone.
The highlight from the report is that the location of those hackers was exposed when the group uploaded their Trojan horses to public security resources to test the ability of the Trojan horses to escape anti-virus software. Resources retrieval showed at least one sample uploader was from Delhi, India. The hacker had uploaded eight test malicious files from November 23 to November 24, 2020. Those samples shared a high degree of similarity in code content with those from the “baby elephant.”
Judging from previous activities, some hacking organizations from India are not very concealed. One is because of its imperfect attacking capability, but more importantly, it reflects the have-nothing-to-fear mindset of those attackers. The physical location of one attacker most likely represents the location of the entire hacking organization, Li said.
“Despite constantly diversifying attacking methods and more abundant functions of the malicious files, attacks could still be traced to the “baby elephant” based on its targets, tactics and decoys and Trojan homology,” Li said.
The targets of the attacks overlap, such as those in Nepal, Pakistan, and Afghanistan. Techniques and tactics that they used are similar to the behavior of the “baby elephant” in the early stage, including malicious shortcuts, malicious HTA scripts and Python Trojan horses, according to Li.
Li also pointed out the similarity of their domain names, which all tend to imitate the official domain names of government organs and state-owned enterprises in Pakistan, Nepal and Sri Lanka. They also tended to adopt the dynamic domain names under the US network service provider No-IP, such as hopto.org and myftp.org.
Multiple signs showed that the “baby elephant” has already become one of the most active and mature cyberattack organizations that threaten the cybersecurity of South Asia and Asia-Pacific.
It is also likely to become the main attack group in South Asia in the future, Li said, calling for attention to be paid on the “baby elephant.”
Victim countries attacked by the “baby elephant” are usually weak economically, in digital maintenance and cybersecurity capabilities. But like any other country, they enjoy the right to defend their sovereignty, security and interests, Li pointed out.
Cyberattacks from South Asian regions, mainly India, target China’s key industries. Graphic: Feng Qingyin/GT
In a previous interview, Antiy Labs told the Global Times that since March, they have detected several phishing activities targeting government, defense and military units, as well as state-owned enterprises in China, Pakistan, and Nepal. The organization behind the attacks is from India and its activities can be traced to as early as April 2019.
More first-hand materials the Global Times obtained from several of China’s leading cybersecurity companies have further revealed a sophisticated network: top hackers from South Asia, mainly from India, have constantly attacked defense and military units as well as state-owned enterprises in China, Nepal and Pakistan in the past few years, and such attacks are on the rise under new disguises of international trending topics.
Global Times