Cyber Incident Victim: Government of Pakistan
Date:
Nov 2013
Location:
Pakistan
Summary
Pakistani government institutions were targeted in a cyber-espionage campaign involving spear-phishing emails disguised as communications from state officials, delivering malicious documents exploiting a known vulnerability to deploy a custom Remote Access Trojan. The malware, attributed to the BITTER group, harvested sensitive documents by searching for specific file types and enabled remote system control, file manipulation, and additional payload execution. The attackers also employed Android-based surveillance tools masquerading as legitimate applications related to regional news and religious practices. While the campaign exhibited characteristics of politically motivated espionage, researchers found insufficient evidence to link it to any known advanced threat actor or nation-state group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2016, Pakistan government officials were targeted in a cyber-espionage campaign involving Remote Access Trojans (RATs) distributed via spear-phishing emails. The emails, spoofed to appear as communications from other Pakistani state officials, contained malicious DOC and XLS files weaponized with the CVE-2012-0158 exploit. This exploit enabled the automatic download and installation of a custom RAT from remote servers upon file opening. Security firm Forcepoint, which discovered and analyzed the campaign, attributed the activity to a group they designated "BITTER," based on recurring text patterns in HTTP requests used for data exfiltration. The group’s operations were traced back to November 2013, indicating a prolonged, previously undetected campaign. The custom RAT possessed capabilities including system information collection, remote command execution, process manipulation, file alteration, and remote file download/execution. Its primary function centered on searching for and exfiltrating files with extensions commonly associated with sensitive documents—DOC, PPT, XLS, DOCX, PPTX, XLSX, PDF, ZIP, 7Z, TXT, and RTF—suggesting a focus on intelligence gathering.
Forcepoint identified additional infrastructure links connecting the BITTER group to a separate Android RAT campaign. One domain used for RAT data exfiltration was registered with an email address also associated with command-and-control servers for AndroRAT malware distributed via apps named "Kashmir News" and "Islam Adhan Alarm." These apps, themed around topics relevant to Pakistan and the disputed Kashmir region, indicated the group’s use of multiple malware families and targeting vectors. While the campaign’s file-extension targeting aligned with politically motivated cyber-espionage, Forcepoint found insufficient evidence to attribute the activity to a known advanced persistent threat (APT) group or state-sponsored actor. No specific mitigation actions by Pakistani authorities or impacted institutions were detailed in the reporting. The incident underscored persistent threats to governmental entities through socially engineered attacks and exploitation of legacy vulnerabilities.