Cyber Incident Victim: Pakistan Air Force
Date:
Nov 2018
Location:
Pakistan
Summary
A sophisticated state-sponsored cyberespionage campaign targeted the Pakistan Air Force, employing spear-phishing messages with weaponized documents referencing topics relevant to the organization, including government affairs and Chinese military activities. The attackers, tracked as the White Company, utilized compromised websites and malicious Word attachments to deliver multi-layered malware that evaded detection by major antivirus solutions. The operation aimed to gather tactical and strategic intelligence from a high-value target linked to national security and nuclear capabilities. Attribution remains challenging due to deliberate obfuscation techniques, including the use of tools from multiple developers and efforts to obscure origins, though numerous nation-states possess potential motives for such espionage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2018, cybersecurity firm Cylance disclosed Operation Shaheen, a year-long espionage campaign targeting the Pakistan Air Force (PAF) by a sophisticated nation-state actor dubbed the White Company. The attackers employed spear-phishing messages containing weaponized lure files tailored to PAF personnel, referencing Pakistani government affairs, air force operations, and Chinese military activities in Pakistan. Initial attacks directed targets to compromised websites via phishing links, later shifting to email attachments carrying malicious Word documents. These decoy documents displayed military-themed content relevant to the recipients' roles, increasing the likelihood of engagement. The malware deployed evaded detection by multiple antivirus solutions, including Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal, through five layers of packing techniques designed to conceal the final payload. Cylance identified the PAF as the primary target based on the specificity of lures, document filenames, and decoy content, though the precise success rate of compromised systems remained undetermined. The campaign leveraged tools developed by multiple parties, some of whom actively obscured their involvement, complicating forensic analysis.
The White Company demonstrated advanced capabilities, including access to zero-day exploits and exploit developers, consistent with state-sponsored operations. Cylance refrained from attributing the campaign to a specific nation, citing the actor's deliberate efforts to evade identification through tool diversification and operational security measures. The PAF's strategic significance—as a nuclear program stakeholder and host of Pakistan's newly established National Centre for Cyber Security—made it a high-value target for foreign intelligence gathering. Potential beneficiaries included global powers with mature cyber programs, such as Five Eyes nations, China, Russia, Iran, North Korea, or Israel, as well as regional actors like India and Gulf states. The operation highlighted persistent threats to military networks in geopolitically sensitive regions, particularly those involving nuclear assets or emerging cyber defense initiatives. No specific mitigation actions or responses from the PAF were detailed in the report.