Cyber Incident Victim: Mazagon Dock Shipbuilders Limited
Date:
Jan 2017
Location:
India
Summary
A cyber espionage group targeted Mazagon Dock Shipbuilders Limited, a key Indian naval defense manufacturer, through spear-phishing emails impersonating a Spanish equipment firm. The malicious Excel attachments exploited macros to deploy KeyBase malware, which employed registry hijacking and UAC bypass techniques to establish persistence and evade detection. The malware exfiltrated sensitive data—including keystrokes, application usage, documents, and screenshots—to a command-and-control server hosted in Indonesia. Attackers leveraged compromised university infrastructure and obfuscated code to hinder analysis, with email header analysis suggesting potential links to a Pakistani freight company. The operation aimed to steal military intellectual property such as submarine and warship designs, reflecting advanced tradecraft to remain stealthy while targeting defense-related proprietary information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 25, 2017, Mazagon Dock Shipbuilders Limited (MDL), an Indian Ministry of Defence entity responsible for manufacturing warships and submarines, was targeted in a cyber espionage campaign. Attackers distributed spear-phishing emails spoofing Hidrofersa, a Spain-based naval equipment manufacturer, to MDL personnel. The emails contained malicious Excel attachments disguised as inquiries about product delivery schedules, leveraging the timing of India’s Republic Day celebrations on January 26, during which MDL-manufactured naval assets were publicly showcased. When recipients opened the attachments, they were prompted to enable macros, triggering a multi-stage infection process. The macros executed obfuscated PowerShell scripts to download KeyBase malware from a compromised Indonesian university website, evading reputation-based security controls. The malware employed a registry hijacking technique via eventvwr.exe to bypass User Account Control (UAC), elevating privileges and establishing persistence by copying itself as Important.exe into the %AllUsersProfile% directory.
The KeyBase malware collected keystrokes, application usage data, web browsing history, credentials, and desktop screenshots, which could expose sensitive submarine and warship design documents. It delayed exfiltration by remaining dormant for extended periods to avoid sandbox detection before communicating with the command-and-control (C2) server tripleshop.id, hosted on an Indonesian IP address (103.229.74.32) active since January 18, 2017. Network traffic analysis revealed the malware transmitted system information, opened file names (e.g., secret.docx), and application window titles to attacker-controlled endpoints. Email header forensics traced the spoofed emails to a user associated with Combined Freight (PVT) Limited, a Pakistan-based freight company, suggesting potential state-sponsored involvement. The attack’s technical sophistication—including macro obfuscation, junk code insertion, compromised legitimate infrastructure, and UAC bypass—indicated a deliberate effort to evade manual and automated analysis. While the full scope of data exfiltrated was not disclosed, the malware’s capabilities posed significant risks to India’s naval defense intellectual property, including design blueprints and manufacturing processes. Indicators of compromise, such as file hashes (e.g., 08f2fc9cb30b22c765a0ca9433b35a46) and C2 URLs, were published to aid detection and remediation across defense and government networks.