Operation Shaheen – Pakistan Air Force members targeted by nation-state attackers

Security firm Cylance has uncovered a sophisticated state-sponsored campaign, tracked as Operation Shaheen, against the Pakistan Air Force.

According to the experts the campaign was carried out by a nation-state actor tracked as the White Company with access to zero-day exploits and exploit developers.

“The preliminary findings detail one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani Air Force. Cylance calls the campaign Operation Shaheen and the organization The White Company—in acknowledgement of the many elaborate measures the organization takes to whitewash all signs of its activity and evade attribution.” reads the press release published by Cylance.

“The Pakistani Air Force is not just an integral part of the country’s national security establishment—including its nuclear weapons program—but it is also the newly announced home of the country’s National Centre for Cyber Security. A successful espionage operation against such a target could yield significant tactical and strategic insight toa range of foreign powers.”

As part of Operation Shaheen, White Company hackers targeted members of the Pakistan Air Force with spear-phishing messages that weaponized lure files with names referenced events, government documents, or news articles of interest for the targets (i.e. the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan).

Attackers initially used phishing messages with links to compromised websites, then they switched to emails using infected Word documents as attachments.

In both cases, the researchers found, the emails were specifically crafted to reference topics that would be relevant to appeal to the targets: the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan.

“We cannot say with precision where those documents went, or which were successful. However, we can say that the Pakistan Air Force was a primary target. This is evident by the overriding themes expressed in document filenames, the contents of the decoy documents, and the specificity employed in the military-themed lures.” continues the report published by Cylance.

“In addition, as explained below, the malware delivered by these lures was delivered from domains not just of legitimate, compromised Pakistani organizations — a common tactic attackers use to make any traffic the target might observe seem benign — but legitimate, compromised Pakistani organizations with an explicit connection to the Pakistani military.”

The malicious code used by White Company hackers was able to evade major antivirus solutions, including Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal.

The malware used in the campaign implements five different packing techniques that placed the ultimate payload within a series of layers.

Attribute the attack to a specific actor is very difficult, a broad range of nation-state attackers would have an interest in spying on the Pakistani Air Force members.

“Cylance does not endeavor to conclusively attribute attacks or campaigns to specific
entities, as a matter of principle, for several reasons. This approach is particularly prudent in this case. The threat actor in question took great pains to elude attribution. They cobbled together tools created by several different developers, some of whom took steps to cover their tracks. These efforts served to complicate the overall picture of what occurred and who was behind it.” concludes the firm.

“Pakistan is a tumultuous, nuclear-armed nation with a history of explosive internal politics. Their position on the geopolitical chessboard makes them an obvious target of all thenation stateswith well-developed cyber programs (i.e. the Five Eyes, China, Russia, Iran, DPRK, Israel),” 

“They also draw attention from emerging cyber powers like India and the Gulf nations.”

Additional info are included in the report published by the experts.

Pierluigi Paganini