SideWinder Cyber Attacks On Maritime Facilities

The nation-state threat actor known as SideWinder has launched a new cyber espionage campaign aimed at ports and maritime facilities in the Indian Ocean and Mediterranean Sea.

According to the BlackBerry Research and Intelligence Team, this spear-phishing campaign has targeted countries including Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

Also referred to as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, SideWinder is believed to have ties to India and has been active since 2012. The group frequently employs spear-phishing techniques to deliver malicious payloads and initiate their attack chains.

The Canadian cybersecurity firm detailed that "SideWinder utilizes email spear-phishing, document exploitation, and DLL side-loading methods to evade detection and deploy targeted implants."

Recent attacks have leveraged lures related to sensitive topics such as sexual harassment, employee termination, and salary cuts, aiming to manipulate recipients' emotions and entice them into opening compromised Microsoft Word documents.

Upon opening the decoy file, the attack exploits a known vulnerability (CVE-2017-0199) to connect to a malicious domain that pretends to be Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk[.]com") to download an RTF file.

This RTF document then activates another vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor, executing shellcode that launches JavaScript code only after confirming the compromised system is genuine and of interest to the attacker.

While the exact payload delivered via the JavaScript malware remains unknown, the likely goal is intelligence gathering, consistent with SideWinder's past operations.

BlackBerry noted, "The SideWinder threat actor continues to enhance its infrastructure for targeting victims in new regions." The ongoing evolution of its network and delivery mechanisms indicates that SideWinder is poised to persist with its attacks in the foreseeable future.

This revelation coincides with reports of a suspected Russian-linked threat actor targeting entities involved in Indian political affairs. This group is deploying a Go-based remote access trojan (RAT) via a .NET loader initiated from Windows shortcut (LNK) files disguised as Office documents, in an operation dubbed Operation ShadowCat.