Peculiar malware trail raises questions about security firm in India

Security firm Norman, investigating cyber-espionage-related to a Norwegian telecom company, the Pakastani government and others, says a lot of its findings lead to the word “Appin,” which happens to be the name of a security outfit in India whose website indicates it does work for the Indian military.

Though not directly accusing Appin Security Group of conducting malware-based cyber-espionage, Snorre Fagerland, head of research at Norman Shark Cyber Research Labs in Oslo, says the simple fact is that the Appin name “keeps popping up in our data” as the investigation has proceeded. Among other circumstantial evidence tied to what appears to be command-and-control malware downloaders and data-stealers used for at least three years, the name Appin is tied to:

• The strings in the executable malware, the domain registrations and the malicious domains of which there are more than 600, where the word Appin can be discovered.
• Some email services tied to the cyber-espionage attack that show a banner containing the word Appin
• Some of the malicious domains used in the attack hosted at the same facility — Mantra Tech Ventures –that Appin uses

It’s all quite “peculiar,” says Fagerland, adding that all of this certainly could be a way to smear the name of Appin Security Group in India. “It’s quite possible these names are fake.” Neither he nor anyone else at Norman knows for sure.

[ MORE SECURITY:Online gaming firm recounts fight for survival vs. DDoS attacks]

Norman has been looking into a cyber-espionage attack against Norwegian-based telecommunications firm Telenor in which it also found circumstantial evidence linked to cyber-espionage against Pakistan that seems to have a trail going back to India. Norman has summarized its investigation in a report titled “Operation Hangover.”

Using anti-malware techniques such as “sinkholing” against malicious command-and-control servers, Norman’s Fagerland says it appears that there has been a cyber-espionage attack going on against the Pakistani government for at least three years. He says it appears the Pakistani government and military networks were compromised, along with Pakistani embassies.

Fagerland points out one other odd aspect of this investigation is that a software developer claiming to be a freelancer whose resume included a background working for Appin posted code on the Nokia online forum asking for advice on constructing it — and this code displayed one of the domains associated with the cyber-espionage that’s believed to be ongoing against the government of Pakistan and others.

This individual posting on the forum “was trying to figure out why the code didn’t work well,” says Fagerland. This person, claiming to be a specialist in employee-monitoring software, didn’t indicate any intent to use the code maliciously and may not even have known that’s what was being constructed with this code, he notes.

But the malware code examined by Norman is a cyber-espionage tool designed to use keyloggers, Trojans and other methods to look for important information and upload it to the attacker. The attack code is not like what has been seen on the black market in general, Fagerland adds.

But Norman thinks the cyber-espionage probably associated with the same attackers has been broader, finding more recent ties to espionage against coal-mining group Bumi in the United Kingdom and elsewhere, including China and some local groups in India.

When we were initially seeking an Appin response to the Norman findings on Monday, we were unable to reach Appin, but did find its website displaying a page with an explanation about what it says is unusual behavior related to its company name. The Web explanation from Appin Security Group reads:

“Public Notice: We have reason to believe, based on reported incidents, that some individuals/entities are misusing the good name of ASG/Appin/Appin Security Group to create fictitious domain, mail accounts, domain registrant info and business cards in order to lure clients. We would like to warn the public at large not to be misled by any communication received through fictitious domains which are purportedly being made by, or on behalf of our company.” The Appin website urged any information about it to be shared with the firm.

Appin Security Group says its clients include the Ministry of Defense in India, including the army, navy and air force units, as well as the president, plus the Indian Police Service, the Delhi Metro Rail Corp and nuclear power plants.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World’s Wide Area Network section.