The hackers employed Slack channels as conduits for exfiltrating sensitive data, including confidential documents, private emails, and cached browser data
Indian government entities and energy companies have fallen victim to a sophisticated cyberattack by unidentified hackers. The attack, which commenced on March 7, 2024, has been dubbed “Operation FlightNight” by cybersecurity researchers at EclecticIQ.
According to Arda Büyükkaya, a researcher at EclecticIQ, the attackers utilised a modified version of an open-source information stealer malware known as HackBrowserData. Their modus operandi involved sending phishing emails disguised as invitation letters from the Indian Air Force. Once the recipient clicked on the attachment, a concealed binary file (“scholar.exe”) was executed, initiating the malware’s operations.
The hackers employed Slack channels as conduits for exfiltrating sensitive data, including confidential documents, private emails, and cached browser data. This clandestine transfer of information amounted to a staggering 8.81 gigabytes over the course of the campaign.
The targets of this cyber attack involves various governmental bodies in India, with a particular focus on those associated with electronic communications, IT governance, and national defence. Additionally, private energy companies were also compromised, with the attackers plundering financial documents, employee details, and information related to oil and gas drilling activities.
The malware employed in Operation FlightNight was an enhanced variant of HackBrowserData, boasting capabilities beyond mere browser data theft. This upgraded version could pilfer documents ranging from Microsoft Office files to SQL database records. Furthermore, the malware could communicate via Slack, thereby evading detection more effectively.
The origins of this cyber threat can be traced back to a phishing campaign targeting the Indian Air Force, which made use of a similar information stealer called GoStealer. The infection process mirrored that of FlightNight, employing deceptive ISO files and decoy PDFs to distract victims while sensitive data was surreptitiously siphoned off.
This trend of utilising freely available offensive tools highlights the evolving landscape of cyber threats. By leveraging legitimate platforms like Slack, hackers can operate with minimal risk of detection, thereby amplifying the potential damage inflicted on targeted organizations.
In response to these developments, security researcher xelemental (@ElementalX2) disclosed details of the activity in mid-January 2024, shedding light on the growing menace posed by cyber espionage utilising open-source tools.
Arda Büyükkaya emphasised the significance of these findings, highlighting the need for heightened vigilance in the face of increasingly sophisticated cyber threats. He stressed the importance of organisations remaining proactive in their cybersecurity measures to thwart such malicious activities effectively.
