Suspected Pakistani APT group targeting Indian Critical Infrastructure PSUs : Seqrite Report
New Delhi : Seqrite, a specialist provider of enterprise cybersecurity products and solutions and the enterprise arm of Quick Heal Technologies Limited, has uncovered the second wave of APT campaign by operators of Pakistan-based SideCopy Advanced Persistent Threat (APT). The report has revealed the list of targets include Critical Infrastructure PSUs from telecom, power, and finance sectors in India.
According to the Seqrite report, threat actors were leveraging compromised websites, which resemble the websites that the targeted organizations would generally access. This shows that attackers did detailed reconnaissance before launching the attack campaign. Upon thorough analysis of the attack chain, the command-and-control (C2) server communication, and the available telemetry data, researchers at Seqrite could identify some compromised websites that are being used to host the attack scripts and act as C2 servers. Further analysis of data accessible from some C2 servers led researchers at Seqrite to an IP address that was commonly found across different C2 servers. In fact, this IP addressturned out to be the first entry in many logs, which indicated that the corresponding system is likely being used for testing the attack before launch.
Further investigation of that IP, using data from whatismyipaddress.com, revealed that the provider ofthat IP address is Pakistan Telecommunication Company Limited. This revelation further strengthensthe claim that Operation SideCopy which is operated by the Transparent Tribe group is originating in Pakistan. The report further revealed the list of targets that were identified through the analyzed C2s.
These targets include Critical Infrastructure PSUs from telecom, power, and finance sectors. This is likely only a subset of targets since there are several other C2s being used in Operation SideCopy APT, which are probably targeting other entities.
Upon discovery, Seqrite researchers proactively alerted the Government authorities and are working with them to keep potential targets safe. Researchers suspect this attack to be a cyber-espionage campaign aimed at collecting sensitive information to gain a competitive advantage against India. Theevidence gathered by Seqrite suggests a highly organized operation designed to evade most security mechanisms. As part of the campaign, attackers are sending out phishing emails with governmentthemed documents in an attempt to lure targets into opening the attachments.
According to Seqrite researchers, the malicious actors have enhanced the attack tools and methods, as compared to last year, to make detection difficult. The final payload can capture sensitive informationincluding screenshots, keystrokes, & files from the affected system. In addition, it can also execute commands specified as part of instructions from C2 servers. This shows that this attack group is well funded and is actively improving its attack mechanisms to infiltrate the target entities. The group can potentially steal critical intel from the government agencies and their subsequent bodies. They can even use that information to make more lures and target other Government departments.
Researchers at Seqrite had exposed the operations of Operation SideCopy for the first time in 2020 and since last year andhave come across a new wave of cyber espionage campaign by the attackers aimed at high profile targets from Critical Infrastructure PSUs from telecom, power and finance sectors.
Earlier during October 2020 Seqrite had come out with a report about Operation SideCopy APT targeting Indian Defence Units. This new finding has revealed that Operation SideCopy has expandedits target list to Critical Infrastructure. As part of the investigation, Seqrite researchers have discovered potentials links between Operation SideCopy and its operators to Pakistan.