The intelligence and security reports have claimed that since 2019 the APT group was exploiting the Indian defense unit and Armed forces to steal sensitive information.
The security firm, Seqrite has disclosed this attack, and they have uncovered a new Advanced Persistent Threat (APT) that is generally targeting India’s Defence Forces.
This group was entitled to ‘Operation Sidecopy,’ and the attackers behind this attack were found distorting the security alliance by imitating all Tactics, Procedures, and Methods (TTP). And the security experts at Seqrite have uncovered very definite proof of ‘Operation Sidecopy.’
The proof affirms that having possible links with Pakistan and Transparent Tribe group. Apart from this, it’s one of the breakthrough discoveries that creating Seqrite as the first cybersecurity brand to disclose the real identification and motive of these attackers.
Key Findings
According to the Seqrite report, the main key findings of these operations are:-
- Operation SideCopy is running all its operations from early 2019 to till now.
- The cyber-operation has been only attacking the Indian defense forces, armed forces, and employees.
- Malware modules that have been seen are continually under development, and updated modules are published after surveillance of victim data.
- The attackers are keeping track of malware discoveries and updating modules when exposed by AV.
- Nearly all CNC belongs to Contabo GmbH, and server names are related to machine names found in the Transparent Tribe report.
- The attackers are misleading the security community by imitating TTP that points at the Sidewinder APT group.
- The Seqrite suspect this attacker has links with the Transparent Tribe APT group.
Linked URLs
Before summarising the whole attack, Seqrite has mentioned the list of URLs that are connected from “mshta.exe” across multiple customers and here they are:-
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Images/8534
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/IncidentReport/html/
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Req-Data/html
- hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Sheet_Roll/html
- hxxps://demo[.]smart-school[.]in/uploads/staff_documents/9/Sheet_Roll/html
- hxxps://demo[.]smart-school[.]in/uploads/student_documents/12/css/
- hxxps://drivetoshare[.]com/mod[.]gov[.]in_dod_sites_default_files_Revisedrates/html
Moreover, Seqrite has already started tracking this campaign as it was targeting crucial Indian companies and organizations; not only this, the traces of this operation can be tracked from early 2019 till to the date.
Apart from this, Seqrite has identified three infection chain method; the initial infection vector in two of the chains was the LNK file that came from a malspam. In one case, they observed that the threat actors are making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the first infection vector.
The initial infection vector is altered in the third case, and the final payload is related to the first two chains.
Infection Chain
Infection Chain 1
Infection chain 2
Infection Chain 3
The security experts at Seqrite are still investigating the whole operation very carefully, and they asserted that the attackers who are operating this operation is a sub-division under the Transparent-Tribe APT group and are just imitating the TTP of other attackers to deceive the security communities.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read:
Microsoft Suspended 18 Azure Active Directory Apps That Operated by the Chinese APT Hackers
US Charges Five Hackers from Chinese APT41 Hacker Group for Hacking More than 100 Firms Globally
Hidden Cobra APT Hackers Attack Japanese Organisations Via Obfuscation Malware & Remote SMB Tool
Iranian Charming Kitten APT Hackers Deploying Malware via WhatsApp Messages
Chinese APT Hackers Attack India & Hong Kong Using a New Malware to Steal Sensitive Data Remotely
APT Hackers Group Carefully Deploy Evilnum Malware Toolkit on Financial Sectors via Google Drive
