Delaware, USA – November 14, 2018 – For the second time in a month, Pakistan has attracted public attention due to cyber attacks. Earlier this month, Pakistani CERT reported that almost all banks in the country were affected by a data breach. This time, researchers uncovered Operation Shaheen, a complex cyber-espionage campaign targeted at the Pakistan Air Force. The operation has been carried out for about a year by a previously unknown APT group, which experts from Cylance have called White Company as they take many elaborate measures to evade attribution. The group sent phishing emails to members of the Air Force trying to infiltrate the networks of the Pakistani military. In each case, the attackers sent a specially crafted email related to the Pakistani government, Air Forces or Chinese military. At the beginning of the campaign, emails contained a link to the compromised sites, and then the attackers switched to sending malicious Word documents. White Company infects its victims with a remote access trojans, which install multifunctional spyware. After infection, the malware carefully covers all traces of the attack layering the payload within multiple packing layers, and that’s why it successfully hides from most popular antivirus solutions.
White Company is a state-sponsored group that has enough resources to carry out sophisticated cyber-espionage campaigns. Their tactics, tools, and procedures challenge the long-held beliefs of many investigators and researchers. The APT Framework analytical bundle for SIEM provides higher-level analysis and cross-correlation of lower-level incidents enhancing the visibility of advanced and persistent threats, as well as identifying sudden spikes in activity that may be of interest or indicate an ongoing attack: https://my.socprime.com/en/integrations/apt-framework-hpe-arcsight