prolific side winder The group is blamed for the state actors behind attempted attacks against 61 organizations in Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka between June and November 2021.
Targets include governments, the military, law enforcement agencies, banks and other organizations, according to a detailed report published by Group-IB, which the report tracks adversaries and Baby Elephant and DoNot Team. A link between two other intrusion sets was also discovered.
SideWinder is also known as APT-C-17, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. In 2022 he Kaspersky noted that the attribution is no longer deterministic, but is suspected to be of Indian origin.
The group has been responsible for more than 1,000 attacks against government entities in the Asia-Pacific region since April 2020, according to a report from a Russian cybersecurity firm early last year.
Of the 61 potential targets compiled by Group IB, 29 are based in Nepal, 13 in Afghanistan, 10 in Myanmar, 6 in Sri Lanka and 1 in Bhutan.
A typical attack chain launched by an attacker begins with a spear-phishing email containing an attachment or booby-trap URL that directs the victim to an intermediate payload used to drop the final stage malware.
SideWinder also added a suite of new tools to its operations, including a remote access Trojan and an information-stealer program written in Python that can exfiltrate sensitive data stored on a victim’s computer via Telegram. It is said that
Group-IB said:
The Singapore-based company also found evidence linking the attackers to a 2020 attack targeting the Maldivian government, in addition to establishing overlaps in infrastructure and tactics between SideWinder, Baby Elephant, and the DoNot Team. said he did.
While the DoNot team is known to have interests in Bangladesh, India, Nepal, Pakistan, and Sri Lanka, Baby Elephant will be targeted by Chinese cybersecurity firm Antiy Labs in 2021 to control Chinese government and defense agencies. It was first documented as an advanced persistent threat from targeted India. Pakistan.
“Since 2017, the number of ‘Baby Elephant’ attacks has doubled every year, attack methods and resources have gradually become more abundant, and targets have begun to cover more regions of South Asia,” the Chinese company said. was reported to have told Global Times, the national media at the time.
In addition, we uncovered similarities between SideWinder and the source code used by other South Asia-focused groups such as Transparent Tribe, Patchwork (aka Hangover), and DoNot Team.
Group-IB said, “This information suggests that state-sponsored threat actors are willing to borrow tools from each other and tailor them to their needs.”
The threat actor’s ability to continually refine its toolset based on evolving priorities makes it a particularly dangerous actor operating in the espionage realm.
“Given that SideWinder has been around for such a long time, developing new tools and maintaining a fairly large network infrastructure, the group clearly has considerable financial resources and is state sponsored. Most likely there will be.”
