Operation FlightNight -Indian Defense and Energy Sectors targeted in cyber-espionage campaign

Operation FlightNight -Indian Defense and Energy Sectors targeted in cyber-espionage campaign

⛔ ⚠ Summary: A sophisticated cyber espionage campaign dubbed “Operation FlightNight” targeted Indian government entities and the energy sector, utilizing a modified version of the HackBrowserData information stealer delivered through phishing emails disguised as Indian Air Force invitation letters. The attackers used Slack channels for data exfiltration, aiming to steal sensitive documents and browser data.

⚠ Threat Actor/Threat Group: Not mentioned.

⚠ Malware: HackBrowserData (modified version)

⚠ Targeted Countries: India

⚠ Targeted Industries: Government, Energy

⚠ Specific Applications/CVEs: No specific applications or CVEs mentioned.

⚠ Impact: Data Exfiltration, Cyber Espionage

⚠ MITRE TTP IDs: T1567, T1539, T1217, T1071.001, T1083, T1566.002, T1036.008, T1140, T1204.002

📌 Indian government entities and energy companies have been targeted by hackers with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and collect sensitive information.

📌 This campaign which was discovered in early March by EclecticIQ researcher and was codenamed Operation FlightNight in reference to the Slack channels operated by the adversary.

📌 Information stealer was delivered via a hashtag#phishing email, masquerading as an invitation letter from the Indian Air Force.

📌 The attack chain starts with a phishing message containing an ISO file (“invite.iso”), which, in turn, contains a Windows shortcut (LNK) that triggers the execution of a hidden binary (“scholar.exe”) present within the mounted optical disk image.

📌 Simultaneously, lure PDF file that claims to be an invitation letter from the Indian Air Force is displayed to the victim while the malware secretly harvests documents and cached webbrowser data and transmits them to an actor-controlled Slack channel named FlightNight.

📌 This malware is an altered version of HackBrowserData that goes beyond its browser data theft features to incorporate capabilities to siphon documents (Microsoft Office, PDFs, and SQL database files), communicate over Slack, and better evade detection using obfuscation techniques.

⭕ ⭕ The threat actor is said to have successfully compromised private energy companies, harvesting financial documents, personal details of employees, details about drilling activities in oil and gas.

⭕ ⭕ Around 8.81 GB of data has been exfiltrated over the course of the campaign.