'HangOver' Indian Espionage Campaign Linked to Mac Malware
CREDIT: Legendary Pictures
A new and unusually sneaky piece of Mac malware, discovered last week, has been linked to a larger online espionage campaign being waged from India.
The campaign, dubbed "HangOver" after a text string in the malware code, appears to be based in India and focuses on stealing industrial secrets from companies all over the world.
Snorre Fagerland, a researcher with the Norwegian-Swiss computer-security firm Norman, said in a blog posting that the attackers in the larger campaign were "not very good at covering their tracks."
Norman researchers found telltale clues that linked the campaign to attacks on targets in Pakistan, India's longtime adversary, and on a Norwegian telecommunications company.
Attacks against energy, automotive, military and financial targets in a dozen other countries have been attributed to the same campaign.
The Mac malware is the first inkling that the campaign had moved into new territory: spying on political activists.
Last week, American security researcher Jacob Appelbaum found that malware on an Angolan human-rights activist's Apple laptop was "signed" with a legitimate Apple developer ID, allowing it to slip past Apple's baked-in Gatekeeper security software.
Appelbaum gave the sample to F-Secure, a Finnish computer-security firm, which found that the malware had been secretly taking screenshots and sending them to two remote command-and-control servers.
Norman researchers reading about F-Secure's work noticed that the same command-and-control servers were being used for the HangOver campaign, even though most of the malware was written for Windows.
Norman also found the same Apple developer ID being used for another piece of Mac malware linked to HangOver.
Apple revoked the validity of the offending ID last week after learning about the first piece of malware.
Norman attributed the HangOver campaign to "private actors in India." Separate research on the same campaign by Slovakian security firm ESET evidence also links it to India and finds that 79 percent of the infected machines are in Pakistan.