Operation SideCopy: Cyber Espionage targeting Indian Army – The Hack Report

Quick Heal researchers warn the government of a new cyber attack suspected to be routed by Pakistan based APT-31 and backed by China.
Seqrite, Quick Heal’s threat intelligence group, recently found evidence of an Advanced Persistence Threat(APT) against the Indian Army and allied forces. The operation is dubbed as “Operation SideCopy.”
The operation is said to be a coordinated attempt to steal the strategic data and infrastructure information by sending phishing emails and remote access malware to infiltrate the systems.
Transparent Tribe or APT-36, a Pakistan based hacker group, seems to be linked with the attacks. Researchers at Seqrite found signatures, domain names similar to those used by APT-36 to attack the Indian Army in the past. Moreover, a domain hosting HTML stager application was found to be registered in Rawalpindi, Pakistan, which strengthens the claims of involvement of the neighbor.

The attacks are being made since 2019 and, as of now, are known to be targeting security personals of Indian defense forces only. The aim is clear: Steal sensitive information and pose as a major threat to national security.
“Till now, this attack has been only seen targeting India. The Tactics, Techniques and Procedures (TTPs), as well as Decoy documents that we analyzed, were crafted specifically in Indian context,” says Himanshu Dubey, director of Quick Heal Security Labs.

The attackers distributed malware embedded in an email attachment in the form of a ZIP file containing an LNK file or a DOC file.
“The victim receives LNK files, compressed into ZIP/RAR via emails. These files are shortcuts executing mshta.exe and providing remote HTA URL as the parameter. LNKs have a double extension with document icons, to trick the victim into opening the file. Victims just have to execute LNK files and rest all modules follow in the background,” reported Seqrite.
The hackers are continuously developing and deploying new malware to infiltrate through the layers of security. The attackers are said to be backed by China, according to Quick Heal.
The point of concern is that it is unknown if any information is leaked or not.
All the information related to the attack has been shared with the Government of India and the Indian Army to help them to take optimal security measures, says Dubey.
With ongoing tension with China along the LAC, India is going through a phase of increased cyber attacks for the past six months, with China and Pakistan both actively posing as the threat actors.
Experts have recommended government authorities should take mandatory and implement advanced cyber security.