Cybersecurity researchers at cybersecurity firm Symantec report that materials research organizations in Asia have been targeted by a previously unknown group tracked by experts as Clasiopa.
The origin of the hacker group and its affiliation is currently unknown, but there are hints that the cybercriminals may have ties to India. This conclusion was made based on links to "SAPTARISHI-ATHARVAN-101" (Saptarishi - a seer from Hindu literature, Atharvan - a priest, co-author of part of Hindu religious scriptures) in the backdoor and the use of the password "iloveindea1998^_^" for the malicious ZIP archive.
"While these details may indicate that the group is based in India, it is also likely that the information was planted as a false flag, and the password, in particular, seems too obvious a clue," Symantec said in the report.
The exact means of initial access is also unclear, although there are suspicions that hackers are conducting brute-force attacks on servers connected to the Internet. Some of the key signs of intrusions include clearing the system monitor and event logs, and deploying several backdoors such as Atharvan and a modified open source version of Lilith RAT to steal sensitive information.
In addition, Atharvan can contact a hard-coded command and control server address (C2, C&C) to extract and run arbitrary executable files on the infected host. The C&C server addresses refer to Amazon AWS in South Korea, which is not a common place for C2 infrastructure.
Judging by the tools and tactics used, the group's main motive is to gain constant access to devices without detection, as well as to steal information.