Recent findings from Quick Heal’s threat intelligence team revealed that the Indian defense forces have been dealing with an Advanced Persistent Threat (APT) in a long-term campaign that is being called Operation SideCopy. Common IOCs link Operation SideCopy to numerous attacks and smaller campaigns throughout the past year. Some more key findings indicate that Operation SideCopy has been active from early 2019 through the present day.
- This cyber-operation has only been observed to be targeting Indian defense forces and armed forces personnel.
- Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.
- Threat actors are keeping track of malware detections and updating modules when detected by AV.
- Almost all C2 server infrastructure belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.
- Quick Heal’s intelligence team believes that this threat actor is misleading the security community by copying TTPs that point at Sidewinder APT group.
- It is suspected that whoever is behind Operation SideCopy also has links with the Transparent Tribe APT group.
It is believed that Operation SideCopy is using three different variations of infection chains. An LNK file stemming from a malspam campaign was used as the initial infection vector in two of the infection chains. While the third infection chain uses a different infection vector, the payload is quite similar.
India and Pakistan have been fighting over the Kashmir region for decades, and the physical fighting has been accompanied by cyber-attacks from both sides for many years. Typically, the cyber-attacks that are seen being exchanged by the two sides come from independent hackers who use defacement attacks and data breaches to cause damage to the opposing country. The APT known as Transparent Tribe, which is attributed to Pakistan, has reportedly been misleading the security community by using Tactics, Techniques, and Procedures (TTPs) that mirror those use by Side Winder APT, which is attributed to India. It is no surprise that an APT from Pakistan would be targeting Indian defense forces in an effort to steal intelligence. This false flag operation has been successful in buying the Pakistan APT more time to conduct attacks and steal intelligence. Now that Quick Heal’s intelligence team has identified and published information about this campaign, it is possible that Transparent Tribe will change tactics to avoid detection.