The Government of Pakistan’s National Telecommunications and Information Security Board (NTISB), operating under the Cabinet Division in the Prime Minister’s Office, issued two advisories on 22 December 2022 against two Advanced Persistent Threat (APT) groups of concern: One is “SideWinder“, and the other is “Bahamut“. Activities of the former group have created a buzz in Pakistan’s media circles, but its persistent impact is not a new headache for the quarters concerned.
Origins & Evolution
The SideWinder APT Group was first observed almost a decade ago, in 2012, targeting different government organisations in Central Asia and South Asia. Kaspersky’s Global Research and Analysis Team (GReAT) was among the first to discover its activities and proffered that they were primarily focused on military targets in Pakistan. This APT group is alternatively referred to by the names RAZOR TIGER, C-17-APT, Rattlesnake and T-APT-04.
SideWinder has used multiple attack vectors to target digital assets in Pakistan. These include social engineering of email recipients, exploits embedded within Microsoft Office files, deceptive installations of apparently-legitimate Android apps from Google Play Store, and credential phishing pages mimicking authentic admin control panels. The group also uses DLL side loading techniques to evade detection to successfully implant itself in target devices and networks. By and large, it is evident from reports that psychological manipulation through targeted social engineering is one of the key methods of infiltration for this group.
A more lethal version of SideWinder APT Group’s malware dubbed “WarHawk” has come to the surface, which purportedly completely hijacks the target’s system. Threat analysts at Zscaler say that the advanced malware contains multiple different malicious modules with new Tactics, Techniques and Procedures (TTPs) and Pakistan Standard Time-zone-check to ensure successful execution. They also add that the group is continuously adding new malware to their arsenal for future cyber espionage campaigns. Threat researchers in China’s Antiy Labs further claim that SideWinder APT Group is operating alongside another APT group called “Confucius”, often exchanging tools and scripts for malware deployment.
The APT Group’s shifting focus on Pakistan’s data centres and satellite communications infrastructure, although not independently verifiable, cannot be ignored but still serve as a wake-up call for stakeholders.
It is quite telling that NTISB’s recent circular itself acknowledges that the SideWinder APT Group’s techniques are based on “compromising Govt email systems and forwarding fake emails/ letters for data extraction/ infiltration”(sic).
The NTISB has issued multiple cyber threat advisories from time to time. One of the earliest known circulars focused on cyber espionage is from 2016, which cautions users across various ministries and departments against fake emails claiming to be security reports from a “Red Cell”. This is quite remarkable given that details of an extensive cyber espionage campaign originating in India, i.e. Operation Hangover, were published a few years prior in 2013.
Perhaps in response to Operation Hangover, the Senate of Pakistan attempted to introduce a National Cyber Council Act (2014), which would have established a public-private body to manage and protect domestic cyberspace from the spectrum of threats. In the words of a government report authored during the regime of Pakistan Tehreek-e-Insaf (PTI), it was assessed that the proposed cyber security body was going to be timid anyways and recommended that a “much more rigorous, focused, well-funded and well-staffed effort is required in the shape of a high-level apex organisation for cybersecurity”.
It was not until a further few years down the line, in 2017, that the Government of Pakistan, through an advisory, declared India as the primary source of cyber threats to national networks. Additionally, it acknowledged that understanding of cyber security threats is inadequate, budgetary allocation to mitigate threats is insufficient, and many organisations “don’t have disaster recovery mechanism” (sic).
New Insights into the Sidewinder APT Group
The choice of targets by the group clearly indicates interest in adversarial intelligence collection, not something that would particularly fascinate freelance hackers who are after quick money.
Following successful intrusions, pseudonymous members of the SideWinder APT Group regularly announce their “feats” before their supporters in a public Telegram group alongside pictorial glimpses as supporting evidence. This practice has been ongoing for several years. During a recent group chat, certain inquisitive members, also using aliases, asked questions which prompted answers; these provided additional insights into the APT group’s professed capabilities and future course of action.
One vocal member going by the alias “Mr Beast”, suspected of leading the SideWinder APT Group, claimed of compromising 90 gigabytes worth of data from different government organisations in Pakistan. It was confirmed that the group’s activities are state-sponsored; however, specific details about the state organ behind these intrusions were not specified for obvious reasons.
The group claims it has embedded itself across various sectoral networks in Pakistan, i.e., banking, government, education, military etc., including the NTISB itself and also SideCopy APT Group, which emulates SideWinder’s attack methods and is widely alleged to be a Pakistani group. They claim further that since Pakistan’s entire national networks are “fully compromised”, it is convenient for them to look up and trace any device operating inside them.
The ability to generate official correspondence from verified government email accounts used by different ministries and departments still exists, purportedly. However, when asked by a user about social engineering being their primary attack vector, they denied this inference and boasted about their “high tech level of exploit” (sic). They disclosed further that mapping and targeting of different Pakistani data centres holding critical information are among their prized capabilities, which allegedly include the Cabinet Division.
More importantly, beyond political and military intelligence, the group’s most vocal member claimed to maintain an updated repository of economic intelligence especially pertaining to the prized real estate sector and the stock exchanges.
Nearing the conclusion of this group chat, when asked by a supporter about new capabilities developed by the collective, it was boasted that Pakistan’s satellite communications are the new focus of efforts.
Despite having the mandate to regulate the Internet, Pakistan Telecommunication Authority’s Cyber Security Annual Report 2022 only covers telecom security guidelines compliance. It does not even make a cursory assessment of risks posed to national cyberspace outside the realm of telecom operators. Khawaja Khalid Farooq, a senior police veteran and former head of Pakistan’s National Counter Terrorism Authority, also labelled the report as “incomplete”.
Examination of SideWinder APT Group’s activities over the past five years, when viewed parallel to contents inside NTISB advisories, indicate that the threat actor has indeed made considerable gains and continues to haunt stakeholders responsible for managing Pakistan’s cyberspace. While this APT group has continued to enhance its TTPs to increase the impact of their efforts, successive federal governments in Pakistan and parliamentarians, in general, have done very little to take the issue seriously.
The APT Group’s shifting focus on Pakistan’s data centres and satellite communications infrastructure, although not independently verifiable, cannot be ignored but still serve as a wake-up call for stakeholders. That these have been confirmed as state-sponsored from the horse’s mouth warrants evaluation as an “Act of War” per National Cyber Security Policy 2021 and must be handled accordingly.