Cyber Incident Victim: Nepali Ministry of Defense
Date:
Dec 2020
Location:
Nepal
Summary
The SideWinder APT group conducted a cyberespionage campaign targeting military and government entities, primarily compromising the Nepali Ministry of Defense alongside Afghanistani organizations. Attackers employed credential-phishing emails and malicious mobile applications, exploiting regional territorial disputes as thematic lures to deliver backdoors. The operation aimed to exfiltrate sensitive intelligence from defense and governmental systems, leveraging fabricated geopolitical content to enhance social engineering efficacy. This multi-vector approach combined traditional email compromise with mobile-focused payloads to infiltrate targets' networks and devices for sustained information theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The SideWinder advanced persistent threat (APT) group conducted a cyberespionage campaign targeting military and government entities in Nepal and Afghanistan around December 2020. Attackers used phishing emails containing malicious attachments related to territorial disputes between China, India, Nepal, and Pakistan as social engineering lures. These emails attempted to steal email credentials through convincing credential-harvesting pages. Successful compromises led to deployment of backdoors including Crimson RAT, which enabled remote access to infected systems. The group simultaneously distributed malicious Android mobile applications designed to harvest device information and establish persistent access. Primary targets included the Nepali Ministry of Defense and Afghan government organizations, with the objective of exfiltrating sensitive military and political intelligence.
Security researchers identified the campaign through analysis of phishing infrastructure and malware signatures linked to SideWinder's known tactics. The operation employed multiple infection vectors across desktop and mobile platforms to maximize intrusion opportunities. No specific containment measures or remediation actions by victim organizations were detailed in public reporting. The incident demonstrated SideWinder's continued focus on South Asian geopolitical intelligence collection through multi-channel attacks. Campaign artifacts indicated persistent efforts to compromise high-value government targets through regionally relevant lures.