Critical Pakistani government agencies’ assets have been the target of ongoing cyberattacks by a group, which domestic and foreign experts allege is based in India and includes some military-affiliated entities.
The group, known as Rattlesnake or the “SideWinder,” has launched a staggering over 1,000 attacks since April 2020 on government, military, and commercial cyber assets based in Pakistan and has been successful in seizing control of, stealing from, or altering the content in the targeted computer systems.
Earlier, such “nationalist” cyber organisations operating in India would, at most, deface websites, while comparable organisations based in Pakistan and China would engage in cyber espionage and disrupt vital assets of organisations based in India.
A cybersecurity firm with four offices in India, Zscaler, based in California, claims that the guys behind SideWinder recently installed a new malware named “WarHawk” in one of their attacks. According to the researchers, this malware completely hijacks the target’s PC.
“Once the victim is infected by the malware ‘WarHawk’, the malware starts sending system information to attackers, downloads and executes other different malwares on the infected system. It also gives remote access to the system by executing commands on it and starts sending across information like file name, file-size, date, etc. One interesting thing that we found is that the malware runs only if the system is in Pakistan Standard Time,” said Niraj Shivtarkar, who is a researcher with the ThreatLabz, the research team of Zscaler.
According to him, they had come across different versions of the same malware, which indicates that the people behind the cyber group were updating the malware with more advanced functionalities. The researchers have not been able to identify the exact targets of this cyber group, which also goes by the name of “hardcore nationalist”, but they believe that the actors compromised the government website including Pakistan’s official NEPRA (National Electric Power Regulatory Authority) website and hosted the malicious payload there for distribution purposes. Similarly, the group also created “phishing” sites that resembled the site of Pakistan’s Federal Investigation Agency (FIA), Sui Northern Gas Pipelines Limited, and the Ministry of Foreign Affairs to lure its victims.
The hackers used a decoy to hide the malware by displaying a legitimate cyber advisory issued by the Cabinet Division of Pakistan in July 2022 that asked the officials to be aware of “malicious phishing websites”.
Cyber monitors have been keeping an eye on the SideWinder at least since 2012.
Researchers from Kaspersky said that the prior footprints that allowed researchers to link it to India have now “disappeared” in May 2022 while taking part in a Singapore “Black Hat” event, a meeting of people interested in information security.
Noushin Shaba, a senior security researcher on Kaspersky’s worldwide research and analysis team, claimed that when the footprints were erased, she was unsure of her ability to connect the group to any particular country. In a 25 page PowerPoint presentation, Shaba claimed that SideWinder had grown to be one of the most active attackers on the planet and had intensified its operations “possibly because its resources had increased, through unknown means, which is evident from its increasing sophistication of its preferred malware and expansion of its geographical footprints.”
She claims that has been going on since at least 2012, but it first became unnoticed in January 2018.
This is not the first time that a cyberattack with Indian provenance has allegedly targeted Pakistan’s military and other critical assets.
Critical military data pertaining to the Pakistan Air Force (PAF) was removed from computer systems placed at PAF headquarters in Islamabad in May of this year. The said incident, for a long time, was kept under wraps by the Pakistan military. Later, Pakistan and China-based researchers, quoting military sources, claimed that the said cyber “espionage” was carried out by “India-friendly entities”.
Officials from these nations claim that these organisations downloaded malware that, once it was installed in the targeted computer system, was able to recover a vast number of papers, presentations, and encrypted files that were kept there.
They said that emails purporting to be from their superior officers contained malware that was forwarded to the victim.
The files that were transferred from the military computer systems included some that dealt with nuclear power plants, military communications, and satellite communications.
According to statements made by Pakistani and Chinese officials, about 20,000 files in total were hacked, some of which contained correspondence issued by Pakistan’s senior defence departments.
Unverified sources state that Pakistan based experts were able to locate the incursion later on the basis of hints provided by the actual hackers who infiltrated the networks.
According to assertions made by the same analysts located in Pakistan and China, a similar attack that targeted Pakistan’s naval assets was carried out in March.
Since a long time ago, China and Pakistan have been conducting cyberattacks against Indian military and commercial enterprises. This has been attributed to officials’ ignorance of how to prevent the attacks, which are typically launched by a straightforward trojan email or a phishing website.
A Chinese state-sponsored cyberattack on India’s power plants in October 2020 caused major power outages in Mumbai. The same was, however, denied by China.