A nation-state cyber-espionage group linked to India has broadened its concentrating on past regional rivals in Pakistan, Afghanistan, China, and Nepal and is targeted on compromising computer systems and networks at maritime amenities in international locations as distant because the Mediterranean Sea.
The group — identified variously as SideWinder, Razor Tiger, and Rattlesnake — generally wages spear-phishing assaults utilizing photos of official-looking paperwork. In its newest campaigns, SideWinder has falsified paperwork from particular ports, together with the Port of Alexandria in Egypt, with high-interest matters equivalent to job termination and wage reductions, researchers from BlackBerry mentioned in a newly printed advisory.
Whereas the group has sometimes centered on rivals nearer to dwelling and is much less prolific than different cyber spies, the present marketing campaign means that they’ve expanded their concentrating on, says Ismael Valenzuela, vp of menace analysis and intelligence at BlackBerry.
“It is the primary time now we have seen SideWinder concentrating on ports and maritime amenities in EMEA,” he says. “We see numerous geopolitical turbulence and [changing] environments throughout the globe on quite a lot of points. This usually galvanizes menace teams and state-sponsors to particularly strike down important belongings, like these throughout the maritime business.”
The maritime business more and more has turn into a goal of cyberattacks, posing critical hazard to ships and ports. In 2019, the US Coast Guard warned transport firms that assaults on their methods may result in accidents and catastrophes. Up to now yr, following elevated Chinese language cyber operations towards important infrastructure together with maritime methods in and across the South China Sea, numerous international locations within the Asia-Pacific area have banded collectively to guard their networks and methods.
The cyber warnings additionally come as bodily threats to transport improve as effectively. Piracy off the Atlantic coast of Africa and the Arabian Sea, and among the many island nations of the Asia-Pacific, has escalated, whereas ship malfunctions — such because the one the brought about a vessel to collide with the Baltimore bridge — have turn into extra frequent.
New Phishing Lures, Outdated Exploits
SideWinder has performed assaults since not less than 2012. The group is comparatively subtle, generally utilizing encrypted malware samples, numerous obfuscation methods, and working code in reminiscence to keep away from file scanners, in accordance with a presentation at Black Hat Asia in 2022. From 2020 to 2022, the group performed greater than 1,000 assaults, Noushin Shabab, senior safety researcher with Kaspersky, mentioned throughout that presentation.
“I believe what actually makes them stand out amongst different APT [advanced persistent threat] actors is the big device set they’ve with many alternative malware households, a lot of new spear-phishing paperwork, and a really massive infrastructure,” Shabab mentioned. “I have not seen 1,000 assaults from a single APT” from one other group to this point.
Nevertheless, the present cyberattacks are, in lots of instances, utilizing older vulnerabilities, equivalent to a flaw in Microsoft Workplace relationship again to 2017. The vulnerability (CVE-2017-0199) permits distant code execution towards previous variations of Microsoft Workplace and Home windows, and has been a very fashionable vector of assault, with greater than 5,600 malware samples exploiting the difficulty this yr, together with 15 malicious samples reported from Egypt, in accordance with BlackBerry.
Like most teams, SideWinder doesn’t prefer to waste an excellent exploit, even when it is seven years previous, says Valenzuela.
“Why can we nonetheless see previous CVEs like these exploited within the wild? Attackers know that many organizations don’t patch their Workplace software program for a few years,” he says. “That is particularly frequent in organizations with legacy methods, which are sometimes utilized in ports and maritime amenities in addition to different important infrastructure.”
BlackBerry documented using one other very fashionable — and seven-year-old — vulnerability, within the Microsoft Workplace Equation Editor (CVE-2017-11882), with greater than 9,500 samples of Workplace paperwork exploiting the difficulty for the reason that begin of 2024. Each of those vulnerabilities have made the Recognized Exploited Vulnerabilities checklist maintained by the Cybersecurity and Infrastructure Safety Company (CISA).
Maritime Underneath Assault
BlackBerry’s menace researchers found quite a lot of domains within the first and second phases of the assault which might be probably proof of their targets, together with a protracted checklist in South Asia together with Pakistan, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Egyptian ports seem like the one goal outdoors of India’s prolonged neighborhood.
Whereas the nation seems to be extending its attain to different areas of the world, the cyber operations usually are not truly concentrating on ports on a worldwide scale, Valenzuela says.
“They’re actually concentrating on ports in key international locations the place this menace actor has geopolitical pursuits, and that features the Indian Ocean and the Mediterranean, [such as] Egypt,” he says. “We don’t have details about different targets within the Mediterranean Sea right now.”
The researchers haven’t captured the ultimate payload within the assaults, however based mostly on the group’s earlier actions, they imagine the objective is intelligence-gathering and cyber espionage, the corporate acknowledged in its advisory.