SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk.
“The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection and Pakistan Standard Time zone check in order to ensure a victorious campaign,” Zscaler ThreatLabz said.
The threat group, also called APT-C-17, Rattlesnake, and Razor Tiger, is suspected to be an Indian state-sponsored actor, although a report from Kaspersky earlier this May acknowledged previous indicators that led to the attribution have since disappeared, making it challenging it to link the threat cluster to a specific nation.
More than 1,000 attacks are said to have been launched by the group since April 2020, an indication of SideWinder’s newfound aggression since it commenced operations a decade ago in 2012.
The intrusions have been significant not only with regard to their frequency but also in their persistence, even as the group takes advantage of a massive arsenal of obfuscated and newly-developed components.
images from Hacker News