Recent investigations by Symantec, a branch of Broadcom Software, have unveiled a distinct cyber threat targeting materials research organizations across Asia. This emerging actor, designated as Clasiopa, employs a unique toolkit, the origins of which remain largely unspecified but suggest possible affiliations with India.
Evidence hinting at this connection includes the presence of the term “SAPTARISHI-ATHARVAN-101” in a custom backdoor and a password, “iloveindea1998^_^,” utilized in a ZIP archive. The nomenclature draws from significant terms in Hinduism, with “Saptarishi” translating to “Seven Sages,” esteemed figures in Hindu texts, while “Atharvan” was an ancient priest believed to have co-authored one of the sacred Vedas.
While these references may imply a nexus to India, Symantec warns that they could also be deliberate misdirections, particularly highlighting the suspiciously obvious nature of the password clue. Their report suggests that the group’s initial access techniques likely involved brute-force assaults on publicly exposed servers, although further details on their entry methods remain insufficient.
The attacks exhibit key tactics characteristic of sophisticated intrusions, including the clearing of System Monitor (Sysmon) and event logs, alongside deploying multiple backdoors such as the custom-developed Atharvan and a modified version of the open-source Lilith RAT. These tools serve to collect and exfiltrate sensitive data.
Atharvan notably features the capability to communicate with a hard-coded command-and-control (C&C) server, enabling remote execution of files and software on compromised systems. Interestingly, the analyzed samples show C&C infrastructure hosted in the Amazon AWS South Korea region, a less typical choice for such operations.
Clasiopa’s apparent objectives revolve around maintaining persistent access to targeted systems, facilitating undetected information theft. This incident follows closely on the heels of another cybersecurity revelation from Symantec concerning a previously undocumented threat group, dubbed Hydrochasma, which has also been actively targeting shipping firms and medical laboratories in the region.
In assessing these tactics through the lens of the MITRE ATT&CK framework, potential adversary techniques include initial access via brute-force, the establishment of persistence through backdoors, and privilege escalation for further unauthorized control over victim environments. The unprecedented activity from Clasiopa signifies an evolving landscape of cybersecurity threats directed at organizations in sensitive sectors.
Overall, the disclosure serves as a stark reminder for organizations in these fields to bolster their cybersecurity postures against such emergent threats. Continued vigilance and awareness of the evolving tactics employed by cyber adversaries are essential in safeguarding sensitive information and maintaining the integrity of research operations.
