After targeting government, military and diplomatic entities, extending their cyber spy actions and maritime infrastructure, the group of hackers apt Sidewinder is paying attention to the nuclear sector.
The APT Sidewinder group is turning its attention to the nuclear sector. Photo shutterstock
Kaspersky researchers have noticed a change in the strategy of the APT Sidewinder group, one of the most prolific hackers, which now targets nuclear power plants in South Asia, marking a significant escalation of its cyber spy activities. In parallel, the threat actor has expanded his operations in Africa, Southeast Asia and certain regions of Europe.
Kaspersky’s global research and analysis team has documented a worrying threat from two directions from the APT Sidewinder group, which focuses on nuclear power stations and South Asia energy facilities. This strategic change takes place simultaneously with the geographical expansion of the group beyond its conventional operating areas.
Active at least since 2012, Sidewinder has traditionally targeted government, military and diplomatic entities. The group has recently expanded its profile of victims, including maritime infrastructure and southeast Asia logistics companies, and now turns its attention to the nuclear sector. Kaspersky researchers have noticed an increase in attacks against nuclear energy agencies, using spear-phishing emails and malicious documents charged with industry-specific terminology.
Following Sidewinder in 15 countries on three continents, Kaspersky has noticed numerous attacks in Djibouti, before the group focus on Egypt and launch additional operations in Mozambique, Austria, Bulgaria, Cambodia, Indonesia, Philippines and Vietnam. Diplomatic entities in Afghanistan, Algeria, Rwanda, Saudi Arabia, Turkey and Uganda were also targeted, further demonstrating Sidewinder’s extension beyond South Asia.
Despite the fact that it is based on older Microsoft Office (CV-2017-11882) vulnerability, Sidewinder uses rapid changes to its tool set. In targeting the nuclear infrastructure, the group creates convincing spear-phishing emails that seem to refer to regulatory issues or specific to the power stations. Once open, these documents initiate an operating chain that can provide attackers access to the operational data of nuclear installations, research projects and personnel details.
Kaspersky protects organizations against these attacks through a multi-layer security system, which includes vulnerability management solutions, prevention of attacks in early stages, detecting real-time-response threats and constantly updated detection rules, aligned with the evolution of Malware used by Sidewinder.
