Unidentified cyber attackers recently attempted to breach the internal computer systems of the Indian Air Force (IAF) with the aim of stealing sensitive data. The attackers exploited open-source malware developed using a programming language created at Google. Fortunately, the IAF did not experience any data loss during the incident.
According to a report from the US-based cyber threat intelligence firm Cyble on January 17, a variant of the Go Stealer malware was identified. This malware, publicly available on GitHub, was specifically designed to target IAF systems. The exact timing of the attack remains unclear. Sources familiar with the situation emphasized that "no loss of data from the IAF occurred through this malware attack" due to the implementation of sufficient security measures.
In September of the previous year, the Indian government had ordered 12 of these fighter jets. The attackers orchestrated a remotely controlled trojan attack by deploying the malware payload, a ZIP file titled "SU-30_Aircraft_Procurement," hosted on the anonymous cloud storage provider Oshi. The malware was distributed through phishing emails sent to Air Force officials.
Upon downloading and extracting the infected ZIP file, recipients unknowingly initiated a sequence of infection involving progression from a ZIP file to an ISO file, and ultimately a .lnk file. The stealer malware, capable of extracting sensitive login credentials through the team communication platform Slack, was concealed behind a distractor PDF file titled ‘Sample’.
The malware developers, as described on GitHub, engineered Go Stealer to be potent against various web browsers, expanding its capabilities beyond Firefox and Google Chrome. Go Stealer is based on Google’s open-source programming language Go, also known as Golang, which has become increasingly exploited by malicious actors for cyber-attacks. Initially detected in mid-2018, Golang-based malware, including Go Stealer, has seen a rising trend in usage according to the US-based technology firm F5.