The prolific SideWinder group has been attributed as the nation-state actor behind attempted attacks against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.
Targets included government, military, law enforcement, banks, and other organizations, according to an exhaustive report published by Group-IB, which also found links between the adversary and two other intrusion sets tracked as Baby Elephant and DoNot Team.
SideWinder is also referred to as APT-C-17, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It’s suspected to be of Indian origin, although Kaspersky in 2022 noted that the attribution is no longer deterministic.
The group has been linked to no less than 1,000 attacks against government organizations in the Asia-Pacific region since April 2020, according to a report from the Russian cybersecurity firm early last year.
Of the 61 potential targets compiled by Group-IB, 29 of them are located in Nepal, 13 in Afghanistan, 10 in Myanmar, six in Sri Lanka, and one is based out of Bhutan.
Typical attack chains mounted by the adversary start with spear-phishing emails containing an attachment or a booby-trapped URL that directs the victims to an intermediary payload that’s used to drop the final-stage malware.
SideWinder is also said to have added a slate of new tools to its operation, including a remote access trojan and an information stealer written in Python that’s capable of exfiltrating sensitive data stored in a victim’s computer via Telegram.
“Advanced attackers have started preferring Telegram over traditional command and control servers due to its convenience,” Group-IB said.
The Singapore-headquartered company further said it uncovered evidence tying the actor to a 2020 attack aimed at the Maldivian government, in addition to establishing infrastructure and tactical overlaps between SideWinder, Baby Elephant, and DoNot Team.
While DoNot Team is known to have an interest in Bangladesh, India, Nepal, Pakistan, and Sri Lanka, Baby Elephant was first documented by Chinese cybersecurity firm Antiy Labs in 2021 as an advanced persistent threat from India targeting government and defense agencies in China and Pakistan.
“Since 2017, the number of ‘Baby Elephant’ attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia,” the company was quoted as saying to Chinese state media outlet Global Times at the time.
Additionally, source code similarities have been unearthed between SideWinder as well as those used by other groups with a South Asian focus, such as Transparent Tribe, Patchwork (aka Hangover), and DoNot Team.
“This information suggests that state-sponsored threat actors are happy to borrow tools from one another and adjust them for their needs,” Group-IB said.
The ability of the threat actor to continuously refine its toolset based on its evolving priorities makes it a particularly dangerous actor operating in the espionage area.
“The group obviously has considerable financial resources and is most likely state-sponsored, given the fact that SideWinder has been able to be active for so long, develop new tools, and maintain a fairly large network infrastructure.”
