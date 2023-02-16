ADVERTISEMENT

India-linked APT group carried out phishing attacks against government organisations in Asia, say analysts

February 16, 2023 02:24 pm | Updated 02:24 pm IST

SideWinder APT believed to be an Indian-based threat group, carried out cyber espionage attacks using Telegram across Asia  

The Hindu Bureau

SideWinder APT a suspected Indian-based threat group, carried out cyber attacks using Telegram across Asia.    | Photo Credit: Reuters

Previously unreported phishing operations were carried out by SideWinder, a suspected Indian-origin Advanced Persistent Threat actor (APT), targeting 61 government, military, law enforcement, and other organisations between June and November 2022, across Asia, a report from Group-IB shared.

The group is believed to be one of the oldest nation-state groups and has been found to be active since at least 2012. 

Like many other advanced threat actors, SideWinder, also known as Rattlesnake, used the Telegram messaging app to receive information from compromised networks. The group known for its ability to conduct hundreds of espionage operations within a short span has confirmed interest in cryptocurrency and was found to have targeted government organisations in Bhutan, Myanmar, Nepal, Sri Lanka, and Pakistan, the report shared.

The group was also found to be behind phishing projects mimicking crypto companies, which is believed to be linked to the recent attempts to regulate the crypto markets in India.

(For top technology news of the day, subscribe  to our tech newsletter Today’s Cache)

The APT group uses spear phishing as its initial attack vector. The group sends phishing emails to victims containing malicious attachments or URLs, which when downloaded deliver a malicious payload. The payload is then used to steal sensitive information by using vulnerabilities in the victim’s devices.

Among the newly discovered tools being used by the group was SideWinder.RAT.b, a remote access Trojan written in Python and designed to steal and exfiltrate information collected from the victim’s device.

The tool is thought to be capable of extracting information including browsing history from Google Chrome, credentials saved in the browser, and a list of folders in the directory as well as metadata from the system.

Group-IB waited so long before sharing information about SideWinder APT to ensure it could enlist the entire arsenal of SideWinder, retrieve information from backups and reverse engineer the tools the group used. Group-IB also wanted to determine an accurate timeline of the campaign undertaken by the threat group, it shared in a response to Cybernews.

