New Delhi: A new report published by Antiy Labs, one of China's cybersecurity companies, disclosed an active hacker team whose members are based in Delhi and has been launching cyberattacks against the government agencies and defence departments in China and Pakistan, Global Times reported.
The report conducted a comprehensive analysis of the cyberattacks launched by the organisation called You Xiang (baby elephant in English) in South Asia, revealing its target, technology and equipment, and exposing the attackers who wear "invisible clothes" and hide behind screens.
The company's vice chief engineer, Li Bosong, told the Global Times that they first detected "baby elephant" activities in 2017, when a number of large-scale targeted cyberattacks on the government, military and defence departments of South Asian countries were found.
According to the analysis of their activities, it was found that the group is suspected to be from India, and is not the same as another hacker group from India named "white elephant."
The organisation had its own set of relatively independent attack resources and tools, but the attack capability was relatively primary at that time. It might be a newly established attack team with immature technical capabilities. "That's why we've named this new, advanced threat organisation 'baby elephant,'" Li said, as per the report.
Four years since, the "baby elephant" is on the rampage, expanding their targets. "Since 2017, the number of 'baby elephant' attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia," Li said. "In 2021, the group began targeted attacks on Chinese institutions for intelligence theft."
The attacks detected by Antiy Labs include setting up phishing websites, attacking mobile phones with malicious Android applications, and Trojans written in languages such as Python to steal various documents, browser cache passwords and other host system environment information from computers, the report said.
For example, the "baby elephant" used to disguise itself as the mail system of the Nepalese Army, police, and government, including Nepal's Ministry of Foreign Affairs, the Ministry of National Defence, and the Prime Minister's office to launch targeted attacks to obtain email accounts to carry out subsequent attacks.
It also pretended to be a polling app for India-Nepal territorial disputes using malicious Android applications. After the victim installs and opens the malicious Android application, the application will ask for system permissions from users. If the permissions are granted, it will monitor the victim's mobile phone, Global Times reported.
The highlight from the report is that the location of those hackers was exposed when the group uploaded their Trojan horses to public security resources to test the ability of the Trojan horses to escape anti-virus software. Resources retrieval showed at least one sample uploader was from Delhi, India. The hacker had uploaded eight test malicious files from November 23 to November 24, 2020, the report said. Those samples shared a high degree of similarity in code content with those from the "baby elephant."