LevelBlue Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years. Our findings are primarily focused on activity since 2017, however the group has been reportedly operating since at least 2012.
Alien Labs along with other security researchers have assessed with low to medium confidence that the group is operates in support of India political interests based on targets, campaign timelines, technical characteristics of command and control (C2) infrastructure and malware, association with other known India interest APTs, in addition to past cyber threat intelligence reporting and our private telemetry.
SideWinder is a highly active adversary primarily making use of email spear phishing, document exploitation, and DLL Side Loading techniques to evade detection and to deliver targeted implants. The adversary activity remains at a consistent rate and LevelBlue Labs recommends the deployment of detections and retrospective analysis of shared indicators of compromise (IOCs) for past undetected activity. In this report we are providing a timeline of known campaigns and their associated IOCs, in addition to a large number of campaigns/IOCs which have not been previously reported or publicly identified.
Full report and IOCs are available: https://cdn.levelblue.com/docs/global-perspective-of-the-sidewinder-apt.pdf.
The OTX Pulse: https://otx.alienvault.com/pulse/5f21d5b84d529ed134127a66
