Symantec published a blog on Suckfly, an advanced cyber espionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations. These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.
While there have been several Suckfly campaigns that infected organizations with the group’s custom malware Backdoor.Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions. This suggests that these attacks were part of a planned operation against specific targets in India.
Campaign activity in India
The first known Suckfly campaign began in April of 2014. During our investigation of the campaign, we identified a number of global targets across several industries who were attacked in 2015. Many of the targets we identified were well known commercial organizations located in India.
These organizations included:
- One of India's largest financial organizations
- A large e-commerce company.
- The e-commerce company's primary shipping vendor
One of India's top five IT firms - A United States healthcare provider's Indian business unit
- Two government organizations
Suckfly spent more time attacking the government networks compared to all but one of the commercial targets.
Additionally, one of the two government organizations had the highest infection rate of the Indian targets. Symantec believes that Suckfly will continue to target organizations in India, and similar organizations in other countries to provide economic insight to the organization behind Suckfly's operations.