Over the weekend, I spent time understanding how APTs operate, how they collaborate and how they learn and grow. To keep it simple, I evaluated APTs operating out of Pakistan. It looks like there are only two well known teams doing this today: APT36 (aka Mythic Leopard, Transparent Tribe) and SideCopy.
Initial observations
Most attacks are targeting Microsoft infrastructure
These teams have some ability to infect linux and Android as well
However, reducing dependence on Microsoft may actually dramatically reduce the number of potential attack vectors
The teams heavily use very old bugs to infect, and heavily rely on components built by others
A well maintained customer environment with a trained set of users to avoid phishing may be able to defeat most attempts
But you just need one to fall for it for the attacker to gain lateral movement within the organization.
APT36: The Established Player
Background and Attribution: APT36 has been active since at least 2016, exhibiting a clear focus on espionage against Indian military, government, and defense sectors. Evidence suggests potential ties to Pakistani state-sponsored actors, including infrastructure overlaps and lure themes aligned with Pakistani interests.
Technical Characteristics:
Spear-phishing with Malicious Documents: APT36's primary infection vector relies on meticulously crafted spear-phishing emails containing weaponized Microsoft Office documents. Exploits targeting vulnerabilities like CVE-2017-11882 (Equation Editor) and CVE-2017-8570 (RTF) have been observed, enabling the delivery of custom malware payloads.
Custom RAT Development: The group is known for deploying custom Remote Access Trojans (RATs) such as Crimson RAT and ObliqueRAT. These RATs grant extensive control over compromised systems, enabling keylogging, screen capture, file exfiltration, and command execution.
Social Engineering and Watering Hole Attacks: Beyond spear-phishing, APT36 has utilized social media platforms for reconnaissance and social engineering, and has been implicated in watering hole attacks targeting websites frequented by their intended victims.
Evidence and Resources:
Cisco Talos' research on Transparent Tribe highlights infrastructure overlaps and lure themes.
Proofpoint's analysis details APT36's targeting of the Indian military.
SideCopy: The Mimic with Growing Sophistication
Background and Attribution: Emerging around 2019, SideCopy is a relatively newer entrant in the APT landscape. While definitive attribution remains challenging, the group's targeting of Indian entities and strong similarities to the techniques of the Sidewinder APT suggest a potential connection to Pakistan or an attempt to mimic their operations for obfuscation.
Technical Characteristics:
Spear-phishing and Exploit Kits: Similar to APT36, SideCopy utilizes spear-phishing emails with malicious attachments, exploiting vulnerabilities in Microsoft Office documents. Additionally, they have been observed employing exploit kits to target vulnerabilities in victims' browsers and software.
Publicly Available RATs: Unlike APT36's custom malware development, SideCopy primarily leverages publicly available RATs like NetWire and njRAT. These tools, while less sophisticated, still provide significant remote access capabilities for data exfiltration and system control.
Sidewinder Mimicry: SideCopy meticulously replicates techniques used by the Sidewinder APT, including decoy documents, infrastructure patterns, and even lures. This deliberate mimicry adds complexity to attribution efforts and may indicate an attempt to confuse analysts.
Evidence and Resources:
Cisco Talos' analysis on SideCopy reveals their tactics and potential connections [pdf]
Cyware documents SideCopy's exploitation of the Equation Editor vulnerability.
Comparative Analysis and Connections
Both APT36 and SideCopy share a primary focus on targeting Indian military and government entities, suggesting a shared strategic objective of intelligence gathering. Their reliance on spear-phishing and exploit kits demonstrates a commonality in initial access techniques. However, distinctions exist in their malware development choices and the extent of their operational security efforts.
Malware Development: APT36 invests in custom malware, suggesting a higher level of sophistication and resource availability. SideCopy's use of publicly available RATs may indicate resource constraints or a deliberate effort to avoid attribution through unique tooling.
Operational Security (OpSec): APT36 exhibits moderate OpSec measures, while SideCopy demonstrates a more concerted effort to obfuscate its activities through Sidewinder mimicry.
Potential Connections:
While concrete evidence remains elusive, the possibility of collaboration or shared resources between APT36 and SideCopy cannot be discounted. Their overlapping targeting, similar tactics, and potential geographic origin warrant further investigation into potential connections or a shared sponsor.
Conclusion and Future Research
APT36 and SideCopy represent a persistent threat to Indian interests, demonstrating evolving capabilities and a determined focus on cyber espionage. Continuous monitoring, information sharing, and technical analysis are crucial to countering their activities. Future research should prioritize:
Attribution Efforts: Deeper analysis of infrastructure, tactics, and potential code overlaps may provide stronger attribution evidence.
Malware Analysis: Further examination of deployed malware can reveal functionality evolution and potential connections between groups.
Geopolitical Context: Studying the broader geopolitical landscape and regional conflicts can provide insights into the motivations and objectives of these APT groups.
By fostering collaboration and sharing technical insights, the cybersecurity community can better understand and mitigate the threats posed by Pakistani APT actors.
Additional reading
SEQRITE - Pakistan APTs escalates APT activity
CYFIRMA - Android malware from APT36
A talk by Asheer Malhotra during BSidesCharm 2022 on Pakistani APT campains