An APT (advanced persistent threat) group suspected of being based in India, called SideWinder, is the author of a successful attack on the Pakistani Air Force network, according to evidence obtained by the research area (CPR) of Check Point Software. SideWinder is a group that focuses on public organizations in Pakistan and China, the researchers report. At the end of March this year, CPR published an analysis of a malicious document disseminated by the group that took advantage of the conflict between Russia and Ukraine. The intended targets of the attack were Pakistani entities. The document used as bait made the group impersonate the National Institute of Maritime Affairs at the University of Bahria in Islamabad, and contained the following title: “Impact of Russian conflict in Ukraine on Pakistan”.
Now, the CPR has evidence that leads to the belief that the group attacked the Pakistani Air Force. “The conclusions result from the analysis of files submitted on the VirusTotal platform, a free service that allows to identify malicious content and various files and URLs. CPR found evidence linking the files to the APT SideWinder group, known to target Pakistani entities and suspected to be based in India,” comments Itay Cohen, Head of Research at Check Point Software.
One of the files decrypted by CPR was produced by InfoStealer-type malware used exclusively by this group, and contained a list of all relevant files extracted from the infected computer. Most of the files were related to the military industry, nuclear facilities, higher education, war history, among others. Some of them even pointed to documents from the “Chairman Joint Chiefs of Staff Committee”, allegedly the highest post in the Pakistani armed forces.
CPR suspects that the group accessed an infected device, from which it arrived on the organization’s drive, which is widely used by the people who work there.
From the names of files and directories, it was possible for CPR to know the usernames that belong to the victim, including AHQ-STRC3. This, in addition to other elements in the file names, seems to suggest that AHQ stands for Pakistani Air Headquarters, which is the headquarters of the Pakistani Air Force. There are also documents that explicitly mention air headquarters in their filenames, reinforcing the link between the “AHQ” in the Pakistani Air Force username. Investigations found an additional username called “gnss” which did not yield any useful clues, although another suspicion could be that this refers to the “global navigation satellite system”. The files seen also had names related to satellite communications, implying data around this.
While analysis of malware files uploaded to VirusTotal often reveals the identity of the targets of the attack campaign, it is uncommon to also expose evidence that the attack was actually successful. In this case, CPR saw that a log file, produced by the malware, exposed the victims’ identity, including names of critical documents and systems.
This leads CPR to assume that the intrusion was eventually detected and analyzed by the victim or security analysts operating on their behalf.