Recent findings from Quick Heal’s threat intelligence team revealed that the Indian defense forces have been dealing with an Advanced Persistent Threat (APT) in a long-term campaign that is being called Operation SideCopy. Common IOCs link Operation SideCopy to numerous attacks and smaller campaigns throughout the past year. Some more key findings indicate that Operation SideCopy has been active from early 2019 through the present day.
- This cyber-operation has only been observed to be targeting Indian defense forces and armed forces personnel.
- Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.
- Threat actors are keeping track of malware detections and updating modules when detected by AV.
- Almost all C2 server infrastructure belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.
- Quick Heal’s intelligence team believes that this threat actor is misleading the security community by copying TTPs that point at Sidewinder APT group.
- It is suspected that whoever is behind Operation SideCopy also has links with the Transparent Tribe APT group.
It is believed that Operation SideCopy is using three different variations of infection chains. An LNK file stemming from a malspam campaign was used as the initial infection vector in two of the infection chains. While the third infection chain uses a different infection vector, the payload is quite similar.