Criminal hacking group targets U.S., U.K. agencies in Pakistan

A criminal hacking group purporting to be from Pakistan has in recent months carried out a string of attacks against governmental organizations, according to new research.
Pakistan Monument, photo by Maqsoodgujjer (CC BY-SA 4.0)

A criminal hacking group concentrated in Pakistan has in recent months carried out a string of attacks on American, British, Russian, and Spanish governmental organizations, according to new research from cybersecurity company Palo Alto Networks.

The hacking collective known as the Gorgon Group “has been performing criminal operations against targets across the globe, often using shared infrastructure with their targeted attack operations,” Palo Alto Networks’ threat intelligence arm, Unit 42, said in a blog post Thursday.

The group has been targeting foreign government agencies operating in Pakistan, partly through malware-laced Microsoft Word documents, the researchers found.  “The spear phishing emails involved in this campaign would most often originate from Gmail accounts masquerading as legitimate individuals, such as a prominent lieutenant colonel in the Pakistani military,” they wrote. It is unclear if the attackers are all based in Pakistan, but they claim to be through online personas, according to the research.

The attackers are unsophisticated but effective. Gorgon Group meticulously tracks how often its payloads are clicked on via common URL shortening tools, according to Unit 42. Thirty-nine percent of users who clicked on those links were in Pakistan, while 19 percent were in the United States.


The group’s command-and-control infrastructure is riddled with crimeware samples, including the remote access trojan NjRat, the research says. The group uses domains to perform a blend of broad-based cybercrime and targeted hacks, often shifting from one to the other “with little warning,” the blog post states.

The unmasking of the Gorgon Group is an example of how a cyber-intelligence-gathering project can expand over time. Unit 42 had been tracking an attacker known as Subaat for more than a year, but recently pieced together evidence that Subaat is part of the larger Gorgon Group.

CORRECTION, 08/03/18: This story has been updated with the correct spelling of the Gorgon Group.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts