An attempt to steal sensitive data from Defence Metallurgical Research Laboratory (DMRL), the research lab of DRDO, through cyber-attack was detected and blocked in September, security software maker Quick Heal has said in its report.
“We have been closely tracking an attack campaign named as ‘Sinon’ specifically aimed at the Defence Metallurgical Research Laboratory (DMRL), research laboratory of the Defence Research and Development Organisation (DRDO),” said Quick Heal Chief Technology Officer Sanjay Katkar, sharing contents of the report.
The report said that the attack termed as ‘Sinon Campaign’ was detected on September 5, 2014 and was carried out through a genuine looking email? spear-phishing email – with an infected attachment designed to exploit an old vulnerability in Windows operating system.
“The threat was immediately found and blocked by our end point security solution active in DRML’s computer thus making it completely harmless. We took a couple of weeks’ time to understand that the threat blocked was actually an invasive effort to penetrate and steal our defence intelligence,” Katkar said.
He did not share the damage that the attack could have done in stealing information from the lab located in Hyderabad but said the thwarted attack was “capable of copying sensitive data and sending it to the attackers server, and the attackers would also have full control over the machine from its Control & Command centre.”
The Quick Heal analysis of the attack showed that it was being executed through a server in Vietnam but that the server address and other details could have been a fake registration.
The location of original attacker was not shared in the report.
The attack was executed through a genuine looking e-mail and once the spear-phishing email was opened, it opened a fake document.
The fake document downloaded a malicious code.
“While the document would completely misguide the victim, the malware would create another huge avg.dll file of 28MB size to misguide anti-virus or any other debugging software.
This file once installed looks like a genuine antivirus software,” the report said.
Earlier this year the Indian Infosec Consortium found that about 3,000 Internet connections in Delhi were compromised probably for snooping from foreign locations.
The list included names of Defence Ministry at South Block and the Chief of Naval Staff in C-Wing at South Block.
Government’s cyber-security arm Computer Emergency Response Team-India (CERT-In) reported 62,189 cyber-security incidents in first five months of the current calendar year.
The attacks have been observed to be originating from the cyberspace of a number of countries including the US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the UAE, but could not be established.