The National Computer Emergency Response Team (NCERT) has issued an advisory concerning a cybercrime campaign targeting high-profile offices and government organizations. This campaign, linked to the Sidewinder APT group, employs phishing tactics to infiltrate systems and steal sensitive data.
How the Hacker Group Operates
According to NCERT, the campaign uses various tactics and techniques, including spear-phishing links via clickable URLs in phishing PDF documents. Exploitation techniques include compromised client applications for execution. Defense evasion strategies involve masquerading, hiding artifacts, and creating files inside user directories to conceal malicious activities. Credential access is achieved through OS credential dumping and stealing web session cookies.
The group gathers system and software information through registry queries and system discovery. Sensitive data is acquired by searching for files of interest on local systems. For command and control, application layer protocols and encrypted channels are utilized. The impact disrupts system availability and network resources through data destruction.
Recommended Actions
To mitigate risks, NCERT advises government organizations to deploy advanced email filtering solutions to detect and quarantine suspicious attachments and URLs. Email authentication mechanisms like SPF, DKIM, and DMARC should be utilized to verify the authenticity of incoming emails and prevent domain spoofing.
Document security policies should restrict the execution of macros and scripts within office documents to mitigate the risk of malware embedded within attachments. Sandboxing and static analysis tools should analyze suspicious documents in a controlled environment, identifying and mitigating potential malware threats before reaching end-users. Implementing PDF security features, such as digital signatures and document encryption, can prevent unauthorized tampering and modification.
NCERT also recommends deploying endpoint detection and response (EDR) solutions to detect and block malicious activities at the endpoint level, including file-less malware execution and credential theft attempts. Application control measures should be implemented to restrict the execution of untrusted binaries and scripts on endpoints, reducing the attack surface for adversaries.
Integrating threat intelligence feeds into security monitoring systems can proactively identify indicators of compromise associated with known APT groups and emerging cyber threats. Leveraging threat intelligence platforms to correlate IOCs with historical attack data can help identify patterns indicative of ongoing or impending cyber campaigns.
NCERT urges government organizations, ministries, and divisions to remain vigilant and take necessary security measures to protect against cyber threats.
