A recent analysis report from an Indian cybersecurity expert exposed an over a year of surveillance by an unknown adversary targeting the Indian government – specifically its military service and notable defense organization. They named the report as – Operation SideCopy.
According to the report, the adversary had used a different methodology to pursue its malicious activity under the radar. This has cloaked them to be directly linked to this and resulted in having arisen only an alleged suspicion that the group behind it is an affiliate to the Pakistani adversary called Transparent Tribe. The group has been around the espionage business since 2013, which also works on aliases such as PROJECTM or MYTHIC LEOPARD and notorious for targeting the Indian military service and prominent government officials. However, the researcher of the report has high confidence with their hunches as per their gathered evidence.
Submitted initial evidence confirmed that the adversary tried to turn the suspicion to other APT actors such as SideWinder. The researcher can uncover the group’s footprints on the code use sophisticatedly crafted for cyber espionage activity. The code can be used to fully compromise the targeted device and gain full control without the victim’s knowledge.
Another redirection of suspicion came across the delivery method, the code use, and the infection process that links to Cobalt Hacking groups. Notably, it was delivered through an email penetration in which the victim unknowingly was forced to open an enticing attachment that contains relevancy to the current situation or with Indian subjects. Once the victim opens the document, the infestation will commence via segmented malware transferring to avoid security detection. The completed malicious application will target the MS Office application’s vulnerability as completely described on the MS CVE-2017-11882.
In addition to the adversary’s redirection method, they could also point the suspicion to the Vietnamese APT32 group, also famous as OceanLotus. They have used the payloader called Cactustorch to kick start the infiltration of the targeted device. To exfiltrate content from the compromised device, the wise adversary incorporates a trojan that can perform remote frame buffering for swift transferring of stolen information, which is innate to the Allakore Remote application commonly used by the Transparent Tribe group.
The ingenuity plan of the unknown adversary on the Operation SideCopy is quite impressive as this will surely confuse any expert researcher, which will also add to the adversary anonymity.
This only shows the integration of different codes and tactics from different threat actors is possible and could deliver a more lethal danger to the cybercommunity. This is an awakening call for the security groups to be keener and learn to collaborate to pursue and develop a more secure application that will help avoid such a damaging attack.