Article Details

Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift. Phishing and ancient vulns still do the trick for one of the most prolific groups around. Researchers say the Sidewinder offensive cyber crew is starting to target maritime and nuclear organizations. Kaspersky described Sidewinder as a "highly prolific" advanced persistent threat (APT) group whose previous prey were mostly government and military instituions in China, Pakistan, Sri Lanka, and parts of Africa. Its recent wider expansion into Africa has caught researchers' attention. Sidewinder ramped up attacks in Djibouti in 2024 and has since focused its attention on Egypt, representing a shift in tactics. Part of that shift is the increase in attacks against nuclear power plants and other nuclear energy organizations, particularly in South Asia. Sidewinder, which launched in 2012 and has suspected but not formally confirmed roots in India, hasn't changed its attack methodology much, still relying on old remote code execution (RCE) bugs that are exploited by malicious documents delivered in spear-phishing campaigns. "The attacker sends spear-phishing emails with a DOCX file attached," said Kaspersky researchers Giampolo Dedola and Vasily Berdinkov. "The document uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker. "The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named Backdoor Loader. This acts as a loader for StealerBot, a private post-exploitation toolkit used exclusively by Sidewinder." The StealerBot implant was first identified in 2024, but SideWinder has continued to use and refine it in ongoing campaigns. Kaspersky noted that the implant has remained unchanged since its discovery, but the group appears to be developing new iterations of its loader regularly. The fake documents attached to spear-phishing emails are carefully crafted and appear legitimate upon a cursory inspection. They are also tailored for each target. Nuclear organizations received documents supposedly related to an upcoming committee meeting, while those sent to maritime organizations and port authorities varied from typical HR documents to briefings about governmental decisions and diplomatic issues. Sidewinder's victimology is broadening, rather than changing. Its age-old favorites in the government, military, and diplomatic sectors are still a focus of the group, but increased attacks on maritime, logistics, and nuclear entities signal an evolution. Kaspersky said telcos, consulting businesses, IT services companies, real estate agencies, and hotels were also fixed in the group's sights to some extent. The group's main tactics – phishing and an eight-year-old vulnerability – don't immediately bear the hallmarks of a sophisticated bunch of attackers. Kaspersky made the same observation in its previous report on the group but suspects those behind the attacks are highly skilled. "Sidewinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government. We know [of] the group's software development capabilities, which became evident when we observed how quickly they could deliver updated versions of their tools to evade detection, often within hours." The fact that it uses well-maintained and effective in-memory malware such as StealerBot also suggests that Sidewinder's various capabilities make it "a highly advanced and dangerous adversary," as Kaspersky puts it.