India-Linked SideWinder Group Pivots to Hacking Maritime Targets

A nation-state cyber-espionage group linked to India has broadened its focusing on past regional rivals in Pakistan, Afghanistan, China, and Nepal and is concentrated on compromising computer systems and networks at maritime services in nations as far-off because the Mediterranean Sea.

The group — identified variously as SideWinder, Razor Tiger, and Rattlesnake — generally wages spear-phishing assaults utilizing pictures of official-looking paperwork. In its newest campaigns, SideWinder has falsified paperwork from particular ports, together with the Port of Alexandria in Egypt, with high-interest matters akin to job termination and wage reductions, researchers from BlackBerry stated in a newly revealed advisory.

Whereas the group has usually targeted on rivals nearer to residence and is much less prolific than different cyber spies, the present marketing campaign means that they’ve expanded their focusing on, says Ismael Valenzuela, vp of menace analysis and intelligence at BlackBerry.

“It is the primary time we now have seen SideWinder focusing on ports and maritime services in EMEA,” he says. “We see plenty of geopolitical turbulence and [changing] environments throughout the globe on quite a lot of points. This typically galvanizes menace teams and state-sponsors to particularly strike down crucial belongings, like these inside the maritime business.”

The maritime business more and more has change into a goal of cyberattacks, posing severe hazard to ships and ports. In 2019, the US Coast Guard warned transport corporations that assaults on their programs may result in accidents and catastrophes. Previously yr, following elevated Chinese language cyber operations towards crucial infrastructure together with maritime programs in and across the South China Sea, varied nations within the Asia-Pacific area have banded collectively to guard their networks and programs.

The cyber warnings additionally come as bodily threats to transport improve as nicely. Piracy off the Atlantic coast of Africa and the Arabian Sea, and among the many island nations of the Asia-Pacific, has escalated, whereas ship malfunctions — such because the one the brought about a vessel to collide with the Baltimore bridge — have change into extra frequent.

New Phishing Lures, Outdated Exploits

SideWinder has carried out assaults since no less than 2012. The group is comparatively refined, generally utilizing encrypted malware samples, varied obfuscation methods, and working code in reminiscence to keep away from file scanners, in keeping with a presentation at Black Hat Asia in 2022. From 2020 to 2022, the group carried out greater than 1,000 assaults, Noushin Shabab, senior safety researcher with Kaspersky, stated throughout that presentation.

“I feel what really makes them stand out amongst different APT [advanced persistent threat] actors is the big device set they’ve with many various malware households, numerous new spear-phishing paperwork, and a really massive infrastructure,” Shabab stated. “I have not seen 1,000 assaults from a single APT” from one other group up to now.

Nonetheless, the present cyberattacks are, in lots of instances, utilizing older vulnerabilities, akin to a flaw in Microsoft Workplace courting again to 2017. The vulnerability (CVE-2017-0199) permits distant code execution towards previous variations of Microsoft Workplace and Home windows, and has been a highly regarded vector of assault, with greater than 5,600 malware samples exploiting the problem this yr, together with 15 malicious samples reported from Egypt, in keeping with BlackBerry.

Like most teams, SideWinder doesn’t wish to waste exploit, even when it is seven years previous, says Valenzuela.

“Why can we nonetheless see previous CVEs like these exploited within the wild? Attackers know that many organizations don’t patch their Workplace software program for a few years,” he says. “That is particularly frequent in organizations with legacy programs, which are sometimes utilized in ports and maritime services in addition to different crucial infrastructure.”

BlackBerry documented the usage of one other highly regarded — and seven-year-old — vulnerability, within the Microsoft Workplace Equation Editor (CVE-2017-11882), with greater than 9,500 samples of Workplace paperwork exploiting the problem for the reason that begin of 2024. Each of those vulnerabilities have made the Identified Exploited Vulnerabilities listing maintained by the Cybersecurity and Infrastructure Safety Company (CISA).

Maritime Beneath Assault

BlackBerry’s menace researchers found quite a lot of domains within the first and second phases of the assault which can be possible proof of their targets, together with an extended listing in South Asia together with Pakistan, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Egyptian ports look like the one goal exterior of India’s prolonged neighborhood.

Whereas the nation seems to be extending its attain to different areas of the world, the cyber operations should not truly focusing on ports on a world scale, Valenzuela says.

“They’re definitely focusing on ports in key nations the place this menace actor has geopolitical pursuits, and that features the Indian Ocean and the Mediterranean, [such as] Egypt,” he says. “We don’t have details about different targets within the Mediterranean Sea right now.”

The researchers haven’t captured the ultimate payload within the assaults, however primarily based on the group’s earlier actions, they consider the aim is intelligence-gathering and cyber espionage, the corporate acknowledged in its advisory.