Cybersecurity researchers at BlackBerry have uncovered a sophisticated cyber espionage campaign targeting Pakistan’s Navy, led by a previously unknown hacking group named “NewsPenguin.” The group’s primary focus appears to be on military and defense industries, deploying espionage tools with the intent to gather intelligence.
Dmitry Bestuzhev, a Threat Researcher at BlackBerry, disclosed that NewsPenguin strategically utilized the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a bait to lure victims into opening phishing emails containing malicious payloads. The campaign, discovered approximately a month ago, is characterized by its exclusive focus on cyber espionage, with no apparent financial motivations.
According to Bestuzhev, the objective of NewsPenguin is to spy on conference attendees and organizers. Notably, the group implemented advanced techniques to avoid detection, such as deploying malware components exclusively on devices with Pakistani IP addresses, making it challenging for researchers to analyze the entire malware structure.
One noteworthy feature of the malware is its ability to bypass whitelisting protocols, attaching itself to legitimate components on victim devices. BlackBerry researchers highlighted that the campaign displayed a level of sophistication, making it difficult to attribute to a specific country or agency. The attackers demonstrated a keen understanding of infiltration tools, employing tactics like creating ‘fake’ news sites to enhance the credibility of phishing attempts.
The modus operandi involved sending targeted phishing emails, disguised as exhibitor manuals for PIMEC-2023, to multiple Pakistani marine-related entities and potential conference visitors. Researchers coined the term “NewsPenguin” based on unique encryption keys and headers featuring the words “penguin” and “getlatestnews.”
PIMEC-2023, scheduled from February 10 to February 12 and organized under Pakistan’s Ministry of Maritime Affairs, serves as a platform for showcasing products from both the public and private sectors in the maritime industry.
BlackBerry researchers uncovered several technical intricacies in the campaign, indicating meticulous planning and background hacking well in advance of the phishing emails. The attackers registered one of their domains on June 30, 2022, suggesting that the cyber operation has been in progress for an extended period. Given that the final payload includes a Trojan designed for spy activities and the exfiltration of confidential information, the researchers warn of potential data breaches by the threat actors. The NewsPenguin campaign raises concerns about the growing sophistication of cyber threats targeting critical infrastructure and defense sectors globally.
