APT Group Attacks Indian Defense Units and Armed Forces Since 2019 Aimed to Steal Sensitive Data

The intelligence and security reports have claimed that since 2019 the APT group was exploiting the Indian defense unit and Armed forces to steal sensitive information.

The security firm, Seqrite has disclosed this attack, and they have uncovered a new Advanced Persistent Threat (APT) that is generally targeting India’s Defence Forces. 


This group was entitled to ‘Operation Sidecopy,’ and the attackers behind this attack were found distorting the security alliance by imitating all Tactics, Procedures, and Methods (TTP). And the security experts at Seqrite have uncovered very definite proof of ‘Operation Sidecopy.’

The proof affirms that having possible links with Pakistan and Transparent Tribe group. Apart from this, it’s one of the breakthrough discoveries that creating Seqrite as the first cybersecurity brand to disclose the real identification and motive of these attackers.

Key Findings

According to the Seqrite report, the main key findings of these operations are:-

  • Operation SideCopy is running all its operations from early 2019 to till now.
  • The cyber-operation has been only attacking the Indian defense forces, armed forces, and employees.
  • Malware modules that have been seen are continually under development, and updated modules are published after surveillance of victim data.
  • The attackers are keeping track of malware discoveries and updating modules when exposed by AV.
  • Nearly all CNC belongs to Contabo GmbH, and server names are related to machine names found in the Transparent Tribe report.
  • The attackers are misleading the security community by imitating TTP that points at the Sidewinder APT group.
  • The Seqrite suspect this attacker has links with the Transparent Tribe APT group.

Linked URLs

Before summarising the whole attack, Seqrite has mentioned the list of URLs that are connected from “mshta.exe” across multiple customers and here they are:-

  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/
  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/
  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Images/8534
  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/IncidentReport/html/
  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/
  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Req-Data/html
  • hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Sheet_Roll/html
  • hxxps://demo[.]smart-school[.]in/uploads/staff_documents/9/Sheet_Roll/html
  • hxxps://demo[.]smart-school[.]in/uploads/student_documents/12/css/
  • hxxps://drivetoshare[.]com/mod[.]gov[.]in_dod_sites_default_files_Revisedrates/html

Moreover, Seqrite has already started tracking this campaign as it was targeting crucial Indian companies and organizations; not only this, the traces of this operation can be tracked from early 2019 till to the date. 

Apart from this, Seqrite has identified three infection chain method; the initial infection vector in two of the chains was the LNK file that came from a malspam. In one case, they observed that the threat actors are making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the first infection vector.

The initial infection vector is altered in the third case, and the final payload is related to the first two chains.

Infection Chain

Infection Chain 1

Infection chain 2

Infection Chain 3

The security experts at Seqrite are still investigating the whole operation very carefully, and they asserted that the attackers who are operating this operation is a sub-division under the Transparent-Tribe APT group and are just imitating the TTP of other attackers to deceive the security communities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Microsoft Suspended 18 Azure Active Directory Apps That Operated by the Chinese APT Hackers

US Charges Five Hackers from Chinese APT41 Hacker Group for Hacking More than 100 Firms Globally

Hidden Cobra APT Hackers Attack Japanese Organisations Via Obfuscation Malware & Remote SMB Tool

Iranian Charming Kitten APT Hackers Deploying Malware via WhatsApp Messages

Chinese APT Hackers Attack India & Hong Kong Using a New Malware to Steal Sensitive Data Remotely

APT Hackers Group Carefully Deploy Evilnum Malware Toolkit on Financial Sectors via Google Drive

U.S Charges Two Iranian Hackers for Attacking Computer Systems in the United States, Europe & Middle East

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.