Pakistani APT Group Imitates Indian Cyber Operation Methods to Deliver Malware Attack
Creating secure cyberspace in India has become more strenuous in the wake of persistent cyberattacks on the country. The malware attacks by adversaries have not only targeted the critical infrastructure in India but have advanced to the government and the military sector too.
As a developing country, India possesses cyber offensive and defensive capabilities that could ward off attacks from adversaries. India’s cyber offensive front has been stepped up by the private firms that have launched cyber operations against the neighbouring adversaries covertly. Lately, some of the adversaries are even copying the methods used by the Indian cyber threat groups to launch malware attacks.
One of the Pakistani threat groups called SideCopy was spotted imitating the Indian threat group SideWinder’s infection chains to deliver its own set of malware. SideCopy hackers appear to be highly motivated by the attack methods used by Indian APT groups like SideWinder that have been plaguing governments and enterprises in South Asia and East Asia since 2012. Other Indian groups that have come into the limelight for the same purpose include Dark Basin, Phronesis, Aglaya, etc.
SideWinder Advanced Persistent Threat group has been progressing in offensive cyber operations for a long time now. The firm was spotted using the Binder exploit to attack mobile devices. It proactively targeted victims that included multiple government and military units – in China, India, Nepal, and Pakistan using social-engineering techniques.
At present, SideCopy is actively copying techniques reserved for Sidewinder. Seqrite, Quick Heal’s enterprise security brand stated that the Pakistani cyber-espionage group has been active since 2019. The threat intelligence team first uncovered the spear-phishing campaigns in September 2020.
The team analysed that most of the old attacks were related to ‘Operation SideCopy’ by common IOCs. Cisco Talos, one of the networking giant’s cybersecurity divisions stated that the group has continued to launch cyber operations against the Indian government and military. They used spear-phishing email attacks each of which came with malicious file attachments—ranging from LNK files to self-extracting RAR EXEs and MSI-based installers—that installed remote access trojans (RATs) on infected systems.
SideCopy operators deployed RAT plugins that ranged from file enumerators to credential-stealers and keyloggers. The APT group’s activities posed a close resemblance to the campaigns initiated by another Pakistani threat group called APT36 (aka Mythic Leopard and Transparent Tribe), which has recently shifted its focus to Afghanistan. The Talos report has stated that the sophistication of attacks has comparatively increased and more visible in 2020 and 2021. It also reported a spike in activity by Chinese security firm – Rising.
The cyber-espionage efforts between India and Pakistan have been in continuation for more than five years now. Both the countries are keeping tabs on each other using cyberwarfare capabilities, while aggressively pursuing advanced infection techniques to ‘infect the victims’.