The prolific SideWinder group has been attributed because the nation-state actor behind tried assaults in opposition to 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.
Targets included authorities, army, legislation enforcement, banks, and different organizations, in response to an exhaustive report printed by Group-IB, which additionally discovered hyperlinks between the adversary and two different intrusion units tracked as Child Elephant and DoNot Crew.
SideWinder can also be known as APT-C-17, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It is suspected to be of Indian origin, though Kaspersky in 2022 famous that the attribution is now not deterministic.
The group has been linked to a minimum of 1,000 assaults in opposition to authorities organizations within the Asia-Pacific area since April 2020, in response to a report from the Russian cybersecurity agency early final yr.
Of the 61 potential targets compiled by Group-IB, 29 of them are situated in Nepal, 13 in Afghanistan, 10 in Myanmar, six in Sri Lanka, and one is predicated out of Bhutan.
Typical assault chains mounted by the adversary begin with spear-phishing emails containing an attachment or a booby-trapped URL that directs the victims to an middleman payload that is used to drop the final-stage malware.
SideWinder can also be mentioned to have added a slate of recent instruments to its operation, together with a distant entry trojan and an data stealer written in Python that is able to exfiltrating delicate knowledge saved in a sufferer’s laptop by way of Telegram.
“Superior attackers have began preferring Telegram over conventional command and management servers as a consequence of its comfort,” Group-IB mentioned.
The Singapore-headquartered firm additional mentioned it uncovered proof tying the actor to a 2020 assault aimed on the Maldivian authorities, along with establishing infrastructure and tactical overlaps between SideWinder, Child Elephant, and DoNot Crew.
Whereas DoNot Crew is understood to have an curiosity in Bangladesh, India, Nepal, Pakistan, and Sri Lanka, Child Elephant was first documented by Chinese language cybersecurity agency Antiy Labs in 2021 as a complicated persistent risk from India focusing on authorities and protection businesses in China and Pakistan.
“Since 2017, the variety of ‘Child Elephant’ assaults has doubled annually, and the assault strategies and assets have progressively turn into richer, and the goal has began to cowl extra areas in South Asia,” the corporate was quoted as saying to Chinese language state media outlet World Occasions on the time.
Moreover, supply code similarities have been unearthed between SideWinder in addition to these utilized by different teams with a South Asian focus, similar to Clear Tribe, Patchwork (aka Hangover), and DoNot Crew.
“This data means that state-sponsored risk actors are completely happy to borrow instruments from each other and alter them for his or her wants,” Group-IB mentioned.
The power of the risk actor to repeatedly refine its toolset primarily based on its evolving priorities makes it a very harmful actor working within the espionage space.
“The group clearly has appreciable monetary assets and is most definitely state-sponsored, given the truth that SideWinder has been in a position to be energetic for thus lengthy, develop new instruments, and preserve a pretty big community infrastructure.”
