India-backed cyber threat 'SideWinder' targeted over 60 companies in Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka: Group-IB

Group-IB, a global cybersecurity leader headquartered in Singapore, has documented previously unreported phishing operations carried out by the nation-state cyber threat actor "SideWinder" between June and November 2021. 

SideWinder, also known as Rattlesnake, Hardcore Nationalist (HN2) and T-APT4, is a state-sponsored hacking group believed to be affiliated with the Indian government, Group-IB wrote on its website.

The group has been involved in various cyber espionage campaigns targeting a range of industries, including government agencies, military organisations and energy companies.

According to Group-IB, the attackers attempted to target 61 government, military, law enforcement and other organizations in Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka in 2021. 

The campaign involved hackers using Telegram to receive information from compromised networks.

Group-IB, in its report titled "Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021," confirmed links between the SideWinder, Baby Elephant, and Donot advanced persistent threat groups and described the entire arsenal of the cyberespionage group, including newly discovered tools.

Group-IB, in June 2022, discovered the group's newest custom tool, SideWinder.AntiBot.Script, which was used in previously documented phishing attacks against Pakistani organisations. SideWinder is notable for its ability to conduct hundreds of espionage operations within a short period.

During proactive threat-hunting operations, the researchers discovered backup archives on infrastructure attributed to SideWinder. One of the 2021 archives contained several phishing projects designed to target government agencies in Southeast Asia, among which were fake websites imitating the Central Bank of Myanmar, added Group-IB.

Based on the date when the related phishing pages were edited, the Group-IB team was able to reconstruct an approximate timeline of SideWinder's phishing operations between June and November 2021. 

As the phishing resources were retrieved from a backup archive by the Group-IB team, there is a possibility that SideWinder's attacks may have started earlier.

Further analysis allowed the Group-IB team to compile a list of the group's 61 potential targets, which include government, military, financial, law enforcement, political, telecommunications and media organizations in Afghanistan, Bhutan, Myanmar, Nepal and Sri Lanka. It's unknown whether any of these phishing campaigns were successful.

The researchers also discovered two phishing projects mimicking crypto companies. SideWinder's growing interest in cryptocurrency could be linked to the recent attempts to regulate the crypto market in India.

The report is primarily intended for analysis purposes among cybersecurity experts, but it provides interesting insight into the nefarious cyber activities of the Indian government as well, Group-IB added on its website.