xorl %eax, %eax

OSINT: A Summary of SIDEWINDER Operations in 2022

leave a comment »

SIDEWINDER (also known as RAZOR TIGER, RATTLESNAKE, T-APT-04, HARDCORE NATIONALIST, and APT-C-17) is a cyber espionage actor who has been active at least since 2012. I had a look on all the publicly known 2022 operations (that I could find) attributed to this actor to derive some insights and here’s the outcome.

The main outcome we can derive is that SIDEWINDER is focusing mainly on Pakistani military targets (particularly the Navy) to conduct cyber espionage.

In terms of the data I used, through publicly available information I found 40 unique events (let’s call them operations) for the period of January 2022-December 2022 and here are some statistics…

Note: Apparently this is a tiny number compared to Kaspersky’sover 1,000 new attacks since April 2020” but I tried to keep it limited to 2022, publicly available reports, and only those that had some context. Not just IOCs.

Figure 1: Countries targeted by SIDEWINDER
Figure 2: Sectors targeted by SIDEWINDER

Many identify SIDEWINDER as an Indian cyber espionage actor and based on the targets of Figure 1 and Figure 2 I’d say that we can safely assume that their main target is Pakistani military entities which makes this actor better aligned with what a military intelligence agency would be performing. Maybe something like India’s Directorate of Military Intelligence? Apparently, there are no hard evidence here to be certain about this, just some food for thought.

Considering the main target is the Pakistani military, here’s a breakdown of the specific SIDEWINDER targets in Pakistan from the limited 2022 dataset I mentioned in the introduction.

Figure 3: Volumetric analysis of top SIDEWINDER targets in Pakistan

Based on that limited dataset, clearly the Pakistani Navy was by far the top target of SIDEWINDER for 2022, strengthening the hypothesis of SIDEWINDER being an actor associated with India’s military intelligence, or even naval intelligence.

With such small sample sets, timelines aren’t particularly valuable but I know that people will be asking for it so here is a timeline analysis too.

Figure 4: Timeline of the identified SIDEWINDER operations

Written by xorl

December 23, 2022 at 15:46

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: