SideWinder, aka Rattlesnake, has hijacked, stolen or modified content in the intended computer systems of Pakistan government, military and business cyber assets. Earlier, only Pakistan and China-based entities would indulge in cyber espionage and disruption of Indian critical assets

New Delhi: Assets of critical Pakistan government agencies, some of which are affiliated to the military, have been facing persistent cyberattacks from a group, which domestic and international experts claim, is based in India.

The group, which observers and experts have named the “SideWinder”, aka Rattlesnake, has launched a staggering over-1,000 attacks since April 2020 on government, military and business cyber assets based in Pakistan and managed to hijack, steal or modify content in the intended computer systems.

Earlier, such India-based “nationalist” cyber groups, would, at the most, deface the websites, while Pakistan and China-based similar entities would indulge in cyber espionage and disruption of critical assets of organisations based in India. According to a report by California-headquartered Zscaler, a cybersecurity company, which has four offices in India, the people behind SideWinder, in one of their recent attacks, have now planted a new malware called “WarHawk”, which, as per the researchers, completely hijacks the system of the intended recipient.

“Once the victim is infected by the malware ‘WarHawk’, the malware starts sending system information to attackers, downloads and executes other different malwares on the infected system. It also gives remote access to the system by executing commands on it and starts sending across information like file name, file-size, date, etc. One interesting thing that we found is that the malware runs only if the system is in Pakistan Standard Time,” said Niraj Shivtarkar, who is a researcher with the ThreatLabz, the research team of Zscaler.

According to him, they had come across different versions of the same malware, which indicates that the people behind the cyber group were updating the malware with more advanced functionalities. The researchers have not been able to identify the exact targets of this cyber group, which also goes by the name of “hardcore nationalist”, but they believe that the actors compromised the government website including Pakistan’s official NEPRA (National Electric Power Regulatory Authority) website and hosted the malicious payload there for distribution purposes. Similarly, the group also created “phishing” sites that resembled the site of Pakistan’s Federal Investigation Agency (FIA), Sui Northern Gas Pipelines Limited, and the Ministry of Foreign Affairs to lure its victims.

The hackers used a decoy to hide the malware by displaying a legitimate cyber advisory issued by the Cabinet Division of Pakistan in July 2022 that asked the officials to be aware of “malicious phishing websites”.

The SideWinder has been on the radar of cyber observers since at least 2012. In May 2022, researchers with Kaspersky, while participating at a Singapore “Black Hat” event, a gathering that brings together people interested in information security ranging, stated that previous footprints that led to researchers identifying it with India have now “disappeared”. According to Noushin Shaba, a senior security researcher on Kaspersky’s global research and analysis team, she was not confident of linking the group to any nation following the erasing of the footprints. Shaba, in a 25-page PowerPoint presentation, stated that SideWinder has become one of the planet’s most prolific attackers and it has stepped up its activities “perhaps because its resources have increased, by means unknown which is evident from its increasing sophistication of its preferred malware and expansion of its geographical footprints”. As per her, it has been active since at least 2012, but came under the radar first in January 2018.

This is not the first time that Pakistan’s military and other strategic assets have been hit by a cyberattack that has been claimed to originate from India. In May this year, critical military information related to the Pakistan Air Force (PAF) was taken away from computer systems installed at the PAF headquarters, in Islamabad. The said incident, for a long time, was kept under wraps by the Pakistan military. Later, Pakistan and China-based researchers, quoting military sources, claimed that the said cyber “espionage” was carried out by “India-friendly entities”.

According to officials in these countries, these entities downloaded malware, which after being installed in the targeted computer system, retrieved a large number of documents, and presentations, including encrypted files that were stored in them. They said the malware was sent to the target in emails that had purportedly come from their superior officers.

Some of the files that were transferred from the military computer systems were related to satellite communications, military communication and nuclear facilities. In all, as per the claims by Pakistan and Chinese officials, close to 20,000 files, some of them which included correspondence sent by the top defence offices of Pakistan, were compromised.

Later, Pakistan-based analysts were able to identify the intrusion, according to unverified claims, based on clues that were left behind by the very hackers who broke into the systems. A similar action was executed, as per claims by the same Pakistan and China-based analysts, in March that targeted Pakistan’s naval assets.

China and Pakistan, for a long time now, have been carrying out cyberattacks against Indian military and civilian enterprises, something which has been attributed to a lack of awareness among officials on how to avoid these cyberattacks, which in most cases, come through a simple trojan email or a phishing website. In October 2020, India had suffered a Chinese state-sponsored cyberattack on its power plants, which led to widespread power outage in Mumbai. The same was, however, denied by China.