Thought Leadership
The notorious advanced persistent threat (APT) group SideWinder has refined its attack tactics and significantly expanded its geographical reach. According to recent analyses by Kaspersky, the group is now specifically targeting nuclear power plants and energy facilities.
Companies in Africa, South East Asia and Europe – including Austria – are particularly affected.
SideWinder expands its target
SideWinder has been known for targeted cyberattacks since 2012, which have so far mainly been aimed at government, military and diplomatic institutions. Now the group has expanded its range of targets and is attacking maritime infrastructure and logistics companies throughout Southeast Asia, while at the same time increasingly targeting the nuclear sector.
New attack methods and vulnerabilities
Kaspersky experts have registered an increase in attacks on nuclear power plants and energy generation facilities. Attackers are using spear phishing emails and malicious documents with industry-specific terminology. Regulatory and plant-specific topics are used as bait to gain the trust of victims.
A central element of the attacks is the exploitation of an older Microsoft Office vulnerability (CVE-2017-11882). Despite the age of this vulnerability, SideWinder is highly flexible and able to quickly adapt its tools to bypass detection systems. Once an infected document is opened, an attack chain begins that allows attackers access to operational data, research projects and personnel data from nuclear power plants.
“We see not only a geographic expansion, but also a strategic evolution of SideWinder’s capabilities and ambitions,” explains Vasily Berdnikov, Lead Security Researcher in the Global Research & Analysis Team (GReAT) at Kaspersky. “The group can deploy updated malware variants after detection with remarkable speed, changing the threat landscape tremendously. Instead of a reactive response, it requires a near real-time response.”
Kaspersky was able to detect SideWinder activities in 15 countries. Djibouti in particular was the target of numerous attacks before the focus shifted to Egypt. Further attacks were observed in Mozambique, Austria, Bulgaria, Cambodia, Indonesia, the Philippines and Vietnam. Diplomatic missions in Afghanistan, Algeria, Rwanda, Saudi Arabia, Turkey and Uganda were also targeted by the hacker group.
(vp/Kaspersky)
