India-linked APT group carried out phishing attacks against government organisations in Asia, say analysts

SideWinder APT believed to be an Indian-based threat group, carried out cyber espionage attacks using Telegram across Asia  

February 16, 2023 02:24 pm | Updated 06:06 pm IST

SideWinder APT a suspected Indian-based threat group, carried out cyber attacks using Telegram across Asia.   

SideWinder APT a suspected Indian-based threat group, carried out cyber attacks using Telegram across Asia.    | Photo Credit: Reuters

Previously unreported phishing operations were carried out by SideWinder, a suspected Indian-origin Advanced Persistent Threat actor (APT), targeting 61 government, military, law enforcement, and other organisations between June and November 2021, across Asia, a report from Group-IB shared.

The group is believed to be one of the oldest nation-state groups and has been found to be active since at least 2012. 

Like many other advanced threat actors, SideWinder, also known as Rattlesnake, used the Telegram messaging app to receive information from compromised networks. The group known for its ability to conduct hundreds of espionage operations within a short span has confirmed interest in cryptocurrency and was found to have targeted government organisations in Bhutan, Myanmar, Nepal, Sri Lanka and Afghanistan, the report shared.

The group was also found to be behind phishing projects mimicking crypto companies, which is believed to be linked to the recent attempts to regulate the crypto markets in India.

(For top technology news of the day, subscribe  to our tech newsletter Today’s Cache)

The APT group uses spear phishing as its initial attack vector. The group sends phishing emails to victims containing malicious attachments or URLs, which when downloaded deliver a malicious payload. The payload is then used to steal sensitive information by using vulnerabilities in the victim’s devices.

Among the newly discovered tools being used by the group were SideWinder.RAT.b (a remote access Trojan) and SideWinder.StealerPy, a custom information stealer written in Python designed to exfiltrate information including browsing history from Google Chrome, credentials saved in the browser, and a list of folders in the directory as well as metadata from the system.  

Group-IB waited so long before sharing information about SideWinder APT to ensure it could enlist the entire arsenal of SideWinder, retrieve information from backups and reverse engineer the tools the group used. Group-IB also wanted to determine an accurate timeline of the campaign undertaken by the threat group, it shared in a response to Cybernews.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.