Researchers Link SideWinder Group to Dozens of Targeted Attacks in Multiple Countries

Feb 16, 2023Ravie LakshmananAdvanced Persistent Threat

The prolific SideWinder group has been
attributed as the nation-state actor behind attempted attacks
against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri
Lanka between June and November 2021.

Targets included government, military, law enforcement, banks,
and other organizations, according to an exhaustive report^[1]
published by Group-IB, which also found links between the adversary
and two other intrusion sets tracked as Baby Elephant and DoNot Team^[2].

SideWinder^[3]
is also referred to as APT-C-17, Hardcore Nationalist (HN2),
Rattlesnake, Razor Tiger, and T-APT4. It’s suspected to be of
Indian origin, although Kaspersky in 2022 noted that the
attribution is no longer deterministic.

The group^[4]
has been linked to no less than 1,000 attacks^[5] against government
organizations in the Asia-Pacific region since April 2020,
according to a report from the Russian cybersecurity firm early
last year.

Of the 61 potential targets compiled by Group-IB, 29 of them are
located in Nepal, 13 in Afghanistan, 10 in Myanmar, six in Sri
Lanka, and one is based out of Bhutan.

Typical attack chains mounted by the adversary start with
spear-phishing emails containing an attachment or a booby-trapped
URL that directs the victims to an intermediary payload that’s used
to drop the final-stage malware.

SideWinder is also said to have added a slate of new tools to
its operation, including a remote access trojan and an information
stealer written in Python that’s capable of exfiltrating sensitive
data stored in a victim’s computer via Telegram.

“Advanced attackers have started preferring Telegram over
traditional command and control servers due to its convenience,”
Group-IB said.

The Singapore-headquartered company further said it uncovered
evidence tying the actor to a 2020 attack aimed at the Maldivian
government, in addition to establishing infrastructure and tactical
overlaps between SideWinder, Baby Elephant, and DoNot Team.

While DoNot Team is known to have an interest in Bangladesh,
India, Nepal, Pakistan, and Sri Lanka, Baby Elephant was first documented^[6]
by Chinese cybersecurity firm Antiy Labs in 2021 as an advanced
persistent threat from India targeting government and defense
agencies in China and Pakistan.

“Since 2017, the number of ‘Baby Elephant’ attacks has doubled
each year, and the attack methods and resources have gradually
become richer, and the target has started to cover more areas in
South Asia,” the company was quoted^[7]
as saying to Chinese state media outlet Global Times at the
time.

Additionally, source code similarities have been unearthed
between SideWinder as well as those used by other groups^[8]
with a South Asian focus, such as Transparent Tribe^[9], Patchwork^[10] (aka Hangover), and
DoNot Team^[11].

“This information suggests that state-sponsored threat actors
are happy to borrow tools from one another and adjust them for
their needs,” Group-IB said.

The ability of the threat actor to continuously refine its
toolset based on its evolving priorities makes it a particularly
dangerous actor operating in the espionage area.

“The group obviously has considerable financial resources and is
most likely state-sponsored, given the fact that SideWinder has
been able to be active for so long, develop new tools, and maintain
a fairly large network infrastructure.”