Cyber Incident Victim: India's Defense Research and Development Organization
Date:
Mar 2023
Location:
India
Summary
A Pakistani cyberespionage group, SideCopy APT, conducted a spear-phishing campaign against India's Defense Research and Development Organization by distributing malicious zip attachments disguised as military research documents, including decoy material on the K-4 missile. The attack deployed Action Rat Malware through a multi-stage infection chain initiated via deceptive LNK files, enabling the theft of sensitive information, retrieval of system details, installation of additional payloads, and exfiltration of files to command-and-control servers. The group, known for emulating other threat actors and evolving its techniques, aimed to compromise the organization’s network of laboratories and scientists developing advanced military technologies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2023, cybersecurity researchers from Cyble identified a spear-phishing campaign by the Pakistani advanced persistent threat group SideCopy targeting India’s Defense Research and Development Organization (DRDO). The attack involved emails containing malicious zip attachments disguised as research materials related to military technologies. One such attachment was named "DRDO - K4 Missile Clean room.pptx.lnk," referencing the DRDO-developed K-4 nuclear-capable submarine-launched ballistic missile. The zip file contained a legitimate PowerPoint presentation about the missile alongside the malicious .lnk file, which initiated the infection chain when extracted and executed. Execution of the .lnk file triggered the download of an HTML application that displayed the decoy presentation while simultaneously executing a series of concatenated HTML operations. These operations deployed a variant of the Action RAT malware, which was disguised as essential Windows system components. The malware enabled attackers to retrieve file and drive information, install additional payloads, and exfiltrate data to command-and-control servers. The DRDO, operating 52 laboratories and employing over 5,000 scientists to develop military technologies for India’s armed forces, was susceptible to theft of sensitive defense data through this attack vector.
SideCopy has historically emulated the tactics of Sidewinder APT, a group suspected of Indian origins, and has persistently targeted Indian government and military entities. Previous campaigns by SideCopy included attacks on the Indian Army, the National Cadet Corps, and the National Council of Educational Research and Training (NCERT). In 2021, the group used decoy documents like "Email facility address list of the ERE units: 20 Sept 2021" (targeting the Army) and "Living the values, a value-narrative to grass-root leadership" (targeting NCERT) to deliver malware. The March 2023 attack against DRDO reflected this pattern of leveraging credible decoy content to evade detection, with the K-4 missile documentation serving to legitimize the phishing attempt. Researchers assessed the campaign as part of SideCopy’s ongoing evolution of techniques and tooling to compromise high-value targets for espionage purposes, specifically aiming to exfiltrate military secrets from Indian defense institutions. No organizational response or containment measures by DRDO were disclosed in the reporting.