Previously undisclosed phishing operations attributed to a threat group believed to have links to Indian nationalists have been revealed by cyber analyst Group-IB. It says the attacks targeted government, military, and legal institutions across Asia.
The cybersecurity watchdog said it tracked SideWinder – also known as Hardcore Nationalist (HN2) – going after more than 60 organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka in 2021.
Government agencies were by far the most heavily targeted, with 44 being singled out, as opposed to just four military organizations, while nearly half the total attacks were aimed at targets in Nepal, which shares a land border with India.
The second highest number of attacks was concentrated further afield from HN2’s suspected nation-state backer – 13 phishing campaigns were detected against entities in Afghanistan, which is separated from India by Pakistan.
Telegram used as base camp
Furthermore, Group-IB observed SideWinder using the popular messaging app Telegram to process data from targeted systems.
“Just like many other advanced threat actors, SideWinder started using the Telegram messaging app to receive information from compromised networks,” it said.
Group-IB added that the clandestine communication platform had become increasingly popular as a command-and-control center, or base of operations, “among both APT [advanced persistent threat] groups and financially-motivated cybercriminals over the past year” due its relative ease of use.
SideWinder has also been observed upgrading its toolkit by Group-IB, which described one of these new tools, SideWinder.StealerPy, as “an information stealer written in Python designed to exfiltrate information collected from the victim’s computer.”
Group-IB added: “SideWinder is notable for its ability to conduct hundreds of espionage operations within a short span of time.”
StealerPy allows HN2 to “extract a victim’s browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of docx, pdf, and txt files.”
Among the HN2 phishing campaigns noted by Group-IB during an investigative trawl of the threat group’s backup archives were “phishing projects designed to target government agencies in Southeast Asia, among which were fake websites imitating the Central Bank of Myanmar.”
Cryptocurrency firms mimicked
Although it was unable to determine whether any of the 61 phishing campaigns detected and attributed to SideWinder had been successful, Group-IB noted that a couple mimicked cryptocurrency companies.
“SideWinder’s growing interest in cryptocurrency could be linked to the recent attempts to regulate the crypto market in India,” said Group-IB.
Phishing scams typically work by luring email account holders into clicking on a malicious link contained in a bogus message, purporting to be from a legitimate sender, typically offering something of interest or value to the victim.
In this case, Group-IB believes HN2 would have used the malicious links to remotely access and take over a target machine or conduct espionage operations by deploying a special type of malware known as an information stealer.
The suspected Indian threat actor is believed to be one of the oldest nation-state groups of its kind and to have been active since at least 2012.
When asked by Cybernews why it had waited so long since detecting the Asia campaign to publish the findings, Group-IB said one of its chief goals was to inventory the entire arsenal of SideWinder, retrieve all the information from the backups, and reverse engineer its tools to determine an accurate timeline of the campaign.
More from Cybernews:
Subscribe to our newsletter