Cyber Espionage Alert: India-Linked Hackers Exploit Cloud Services for Espionage
An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).
Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, also known as Outrider Tiger and Fishing Elephant.
“Between late 2022 to the present, SloppyLemming has routinely used Cloudflare Workers as part of a broad espionage campaign targeting South and East Asian countries,” Cloudflare stated in an analysis.
SloppyLemming has been active since at least July 2021, using malware such as Ares RAT and WarHawk, with past campaigns linked to hacking crews SideWinder and SideCopy.
Targets include government, law enforcement, energy, education, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
The attack chains involve spear-phishing emails and booby-trapped files to gain unauthorized access to email accounts within the organizations of interest.
SloppyLemming’s techniques include capturing Google OAuth tokens and exploiting WinRAR flaws to achieve remote code execution.
Cybersecurity company SEQRITE detailed similar campaigns targeting Indian government and defense sectors by the SideCopy actors last year.
SloppyLemming uses phishing lures and phony websites to redirect targets to malicious files, ultimately acting as an intermediary for data exfiltration.
Cloudflare’s observations suggest SloppyLemming is targeting Pakistani law enforcement and entities involved in Pakistan’s nuclear power facility operation and maintenance.
Other targets include government and military organizations in Sri Lanka and Bangladesh, as well as energy and academic sector entities in China.