In some cases they had file-stealing functionality that searched for certain file types, including documents and images on the infected computers, and uploaded them to remote servers. In other cases they had keylogging and screen-shot grabbing functionality.
In some cases the malware has only one feature enabled, but in others it has a combination of them, Fagerland said. There's also a module for infecting USB drives, he said.
There was a lot of customization going on in the attacks, Fagerland said. For example, in the Telenor case, the attackers used malware specifically adapted for that attack that contained strings suggesting they had insight into how Telenor's systems were set up, he said.
The Norman researchers are confident about attributing this operation to Indian attackers based on an analysis of the IP addresses used in the malicious infrastructure and the domain registration information, as well as text-based identifiers contained within the malicious code.
There is no direct evidence that the operation was state sponsored, but that possibility can't be dismissed either, Fagerland said. The security of the operation is fairly low, but there are signs of standardization in the malware development process and the deployment of the command-and-control infrastructure, he said.
Some paths found in the malware code suggest that different developers, including freelancers, worked on different parts of it. It appears that they had well-defined projects and regular tasks to complete, Fagerland said.
What's interesting about this operation is that it appears to originate in India, a country that hasn't been that active in this field before, Fagerland said. It's also interesting that it combines national interest targets with economic targets, which is something that has rarely been seen in cyberespionage attacks that don't come from China, he said.
Sign up for Computerworld eNewsletters.