The nation-state cyber threat actor known as SideWinder has been linked to a new espionage campaign aimed at maritime facilities and ports located in the Indian Ocean and Mediterranean Sea regions. This campaign has been uncovered which identified that the spear-phishing attacks are targeting several countries, including Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, also referred to by aliases such as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is believed to have ties to India. The group has been active since 2012 and is known for using spear-phishing as a method to deploy malicious payloads that initiate complex attack chains.
According to the report, SideWinder employs a range of tactics in its attacks, including spear-phishing via email, document exploitation, and DLL side-loading techniques. These methods are designed to bypass detection and deliver customized implants to the targeted systems.
In this latest wave of attacks, SideWinder has used emotionally charged lures related to topics such as sexual harassment, employee terminations, and salary reductions. These themes are intended to distress the recipients and compel them to open malicious Microsoft Word documents that have been rigged to execute the attack.
Once the decoy document is opened, it takes advantage of a known security vulnerability (CVE-2017-0199) to connect to a malicious domain disguised as Pakistan’s Directorate General Ports and Shipping (“reports.dgps-govtpk[.]com”).
This connection is used to retrieve an RTF file, which then exploits another older vulnerability in Microsoft Office (CVE-2017-11882) within the Equation Editor. The goal of this exploitation is to run shellcode that launches JavaScript code, but only after confirming that the compromised system is a legitimate and valuable target for the attackers.
At this time, the specific payload delivered by the JavaScript malware remains unknown. However, based on SideWinder’s previous campaigns, the likely objective is intelligence gathering.
Researcher has noted that SideWinder is continually refining its infrastructure to target victims in new geographic regions. The ongoing development of its network and payload delivery methods suggests that SideWinder is likely to persist with its operations in the near future.
Organizations can protect themselves from SideWinder’s cyber espionage campaigns by implementing robust email filtering systems to detect and block spear-phishing attempts. Regularly update and patch software to close vulnerabilities, and employ network segmentation to limit the impact of any potential breaches.
Additionally, conducting regular security audits and threat assessments can help identify and mitigate risks early on.