Sidewinder [1] [2] [3] [4] [5] [6] [7], a nation-state threat actor associated with India and known by various aliases, has initiated a cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea [2] [4] [5] [6] [7].
Description
Sidewinder [1] [2] [3] [4] [5] [6] [7], also known as APT-C-17 [4], Baby Elephant [4], Hardcore Nationalist [4], Rattlesnake [4] [6], and Razor Tiger [1] [4] [6], has been identified by the BlackBerry Research and Intelligence Team as the perpetrator of a cyber espionage campaign. This campaign involves the use of phishing emails with specific logos and themes, initially focusing on countries such as Pakistan, Egypt [1] [2] [4] [6], Sri Lanka [1] [2] [4] [6], Bangladesh [1] [4] [6], Myanmar [1] [4] [6], Nepal [1] [4] [6], and the Maldives before expanding to other regions. Sidewinder employs spear-phishing tactics to deliver malicious payloads exploiting security vulnerabilities CVE-2017-0199 and CVE-2017-11882 [5], using lures related to emotional triggers to deceive recipients into opening compromised Microsoft Word documents. The threat actor utilizes sophisticated techniques like obfuscation, process hollowing [2], and DNS tunneling to deliver payloads [2], establish command-and-control [2], and maintain persistence within targeted networks [2]. Previous targets of Sidewinder include military, government [1], and business entities in Pakistan, Afghanistan [1], China [1], and Nepal [1] [6], with a primary focus on espionage and intelligence collection. The campaign showcases a strategic approach, utilizing social engineering tactics and exploiting vulnerabilities to compromise network infrastructure within the maritime sector [2]. Sidewinder’s use of JavaScript malware indicates a clear objective of intelligence gathering [7]. The BlackBerry Research and Intelligence Team has attributed the campaign to Sidewinder [6], which has targeted Police, Military [1] [6], Maritime [2] [3] [4] [5] [6] [7], and Naval forces of Central Asian countries [6]. The threat actors have utilized carefully crafted documents as “visual bait” related to specific infrastructure [6], such as ports [6], to target organizations in the aforementioned countries. Exploiting the CVE-2017-0199 vulnerability in Microsoft Office for initial access [6], the attackers have focused on large organizations with outdated infrastructures. Phishing emails containing malicious documents exploit the CVE-2017-11882 vulnerability to execute shellcode and load additional malicious payloads from a remote server [6]. The report includes Indicators of Compromise (IoCs) and a detailed MITRE ATT&CK® Mapping [6], indicating Sidewinder’s ongoing evolution of infrastructure for espionage and intelligence gathering [6].
Conclusion
The cyber espionage campaign orchestrated by Sidewinder poses significant risks to the security and integrity of ports and maritime facilities in the Indian Ocean and Mediterranean Sea. Organizations within the targeted sectors must remain vigilant and implement robust cybersecurity measures to mitigate potential threats. The evolving tactics and techniques employed by Sidewinder underscore the importance of continuous monitoring and threat intelligence sharing to safeguard against future attacks.
References
[1] https://www.altusintel.com/public-yyc908/?tt=1722274203
[2] https://cyberpress.org/targets-ports-maritime-facilities/
[3] https://cybermaterial.com/apt-targets-asian-maritime-facilities/
[4] https://www.redpacketsecurity.com/new-sidewinder-cyber-attacks-target-maritime-facilities-in-multiple-countries/
[5] https://thehackernews.com/2024/07/new-sidewinder-cyber-attacks-target.html
[6] https://buaq.net/go-253282.html
[7] https://cyber.vumetric.com/security-news/2024/07/30/new-sidewinder-cyber-attacks-target-maritime-facilities-in-multiple-countries/
