Cybersecurity researchers from the IB-IB IB-IB identified previously unsolved phishing campaigns attributed to the Sidewinder group, which is believed to have connections with Indian nationalists.
Since 2020, Sidewinder has made a series of 1000 attacks using more and more sophisticated cyber attacks. In 2022, the Kaspersky Lab spoke about the goals of Sidewinder – the military and law enforcement agencies of Pakistan, Bangladesh and other countries of South Asia. It is believed that the group is associated with the government of India, but LC claims that the grouping does not apply to any country.
According to report , the attacks were aimed at government, military and legal institutions throughout Asia. Group-Ib was tracking Sidewinder, also known as Hardcore Nationalist (HN2), which attacked 61 organizations in Afghanistan, Butan, Myanmar, Nepale and Sri Lanka in 2021.
The main victims were government institutions – 44 pcs were allocated, while almost half of all attacks were directed at the target in Nepal, which has a land border with India. The second place in the number of phishing attacks (13 pcs.) Was concentrated in Afghanistan, which is separated from India Pakistan.
Group-Ib added that Sidewinder is distinguished by the ability to carry out hundreds of spy operations in a short period of time. “
In addition, Group-Ib watched how Sidewinder uses Telegram to obtain and process data from target systems. Group-Ib also noticed that Sidewinder updates its tools. One of them is the Python infostiller called “Sidewinder.stealerpy”.
Stealerpy can:
- to extract the history of the Google Chrome browser;
- accounted data stored in the browser;
- list of folders in the catalog;
- metadata and contents of the DOCX files, “PDF” and “txt”.
Some groups of the group were aimed at government agencies in Southeast Asia, and contained fake websites imitating the Central Bank of Myanmar.
Group-Ib failed to determine whether any campaign was successful, but the company noted that hackers imposed themselves as cryptocurrency companies in them. According to experts, this may be due to recent attempts to regulate the cryptorrhist in India.
Group-Ib believes that Sidewinder used malicious links in emails to obtain remote access and capture the target machine or carry out spy operations by deploying an infostiler. A suspect group is considered one of the oldest government groups and has been operating at least since 2012.
Group-IB published the results of the investigation only now, because, according to her, one of the main goals of the company is the inventory of the entire Sidewinder arsenal, extracting all the information from reserve copies and reverse engineering to determine the exact schedule of the campaign.