HomeThreatInsight: Top 5 Threat Actors Targeting Sri LankaGeneral SecurityThreatInsight: Top 5 Threat Actors Targeting Sri Lanka

ThreatInsight: Top 5 Threat Actors Targeting Sri Lanka

Top 5 Threat Actors Targeting Sri Lanka State-sponsored and sophisticated APT groups, including SideWinder, Ice Fog, RAZOR TIGER, Mirage, and Dropping Elephant, […]

November 22, 2024
General Security
22 min read

Top 5 Threat Actors Targeting Sri Lanka

State-sponsored and sophisticated APT groups, including SideWinder, Ice Fog, RAZOR TIGER, Mirage, and Dropping Elephant, targeting military, government, defense, and critical sectors worldwide using advanced malware, spear-phishing, and tailored espionage tactics.

Download Report

Our NodeRisk ThreatInsight Team conducted in-depth research into Advanced Persistent Threats (APTs) targeting Sri Lanka. Through our analysis, we identified the top 5 threat actors actively engaging in cyber activities against entities in the region. These groups include SideWinder, Ice Fog, RAZOR TIGER, Mirage, and Dropping Elephant, each leveraging sophisticated techniques to target military, government, and critical infrastructure sectors.

 

SideWinder

Incident:

Our Team has identified a new campaign by the nation-state threat actor SideWinder, a group originating from India and active since 2012. SideWinder, also known as Razor Tiger, Rattlesnake, and T-APT-04, is engaging in espionage campaigns across South Asia and surrounding regions. Their latest campaign targets ports and maritime facilities in the Indian Ocean and Mediterranean Sea, specifically focusing on Sri Lanka, Pakistan, Egypt, Bangladesh, Myanmar, Nepal, and the Maldives.

The campaign utilizes sophisticated spear-phishing techniques, exploiting vulnerabilities in Microsoft Office and leveraging emotionally charged visual bait documents to compromise victims. These documents use familiar logos and themes, such as port authorities, and employ highly specific phrases to evoke anxiety and prompt immediate action. Once opened, malicious payloads are delivered via remote template injection and further exploit known vulnerabilities like CVE-2017-0199 and CVE-2017-11882.

Through a combination of advanced techniques, such as DLL side-loading, JavaScript-based second-stage payloads, and anti-VM checks, SideWinder’s goal remains espionage and intelligence gathering. The group’s infrastructure, including Tor-based command-and-control (C2) servers and dynamically generated malicious domains, enables persistent and stealthy attacks.

The NodeRisk ThreatInsight Team uncovered a malicious document crafted by the SideWinder APT group, specifically targeting Sri Lankan Army personnel. The document, disguised as an “Employee Salary Cut Notice,” was written in Sinhala, the native language of Sri Lanka, to enhance its credibility and relevance to the targeted audience.

The document contained emotionally charged language and formatting designed to evoke fear and urgency among recipients. The intent was to compel victims to open the document immediately without scrutinizing its legitimacy. For example:

  • Title: “EMPLOYEE TERMINATION AND SALARY CUT NOTICE”
  • Phrases: “Grave seriousness,” “Terminate employment,” and “Salary reduction due to depleted reserves.”

Upon opening the document, it triggered a DLL side-loading technique, a sophisticated exploitation method where a legitimate application is tricked into loading a malicious DLL file. This technique ensured that the malware was executed stealthily, avoiding detection by traditional security tools.

Overview:

SideWinder is a suspected state-sponsored Advanced Persistent Threat (APT) group that operates primarily out of South Asia. They are known for targeting critical entities, including military organizations, government institutions, and defense contractors, often aligned with the strategic geopolitical interests of their presumed sponsoring state.

Primary Targets:

  • Military Sectors: Focuses on defense and intelligence agencies to acquire sensitive information related to national security.
  • Government Institutions: Targets ministries, policy organizations, and administrative bodies to disrupt operations or gather strategic intelligence.
  • Critical Infrastructure: Aims to disrupt or compromise entities in sectors like energy and communication, often in adversarial nations.

Geographical Focus:

  • The group has targeted entities across South Asia, focusing on countries with ongoing geopolitical tensions in the region.
  • Occasionally, they have expanded their operations to other regions, particularly in areas of strategic relevance to their sponsoring state.

Attack Vectors:

  1. Spear-Phishing Campaigns:

    • SideWinder frequently employs highly targeted spear-phishing emails, often crafted using detailed reconnaissance to exploit specific individuals within an organization.
    • These emails include malicious attachments (e.g., Word or Excel files) or links to compromised websites that deliver malware when opened.

  2. Exploitation of Software Vulnerabilities:

    • They exploit unpatched vulnerabilities in commonly used software and operating systems, particularly in government and defense networks.
    • Zero-day vulnerabilities are occasionally leveraged to gain initial access to high-value targets.

  3. Custom Malware:

    • SideWinder uses a range of proprietary malware tools to infiltrate and maintain persistent access in targeted systems.
    • Examples of their malware capabilities include:
      • Keylogging to capture sensitive credentials.
      • Network reconnaissance tools to map the victim’s infrastructure.
      • Data exfiltration modules to siphon critical information.

  4. Command-and-Control (C2) Communication:

    • They establish encrypted communication channels between infected devices and their C2 servers to exfiltrate data and issue remote commands.
    • The C2 infrastructure is often updated frequently to avoid detection.

Objectives and Motivations:

  • Espionage: To gather intelligence on military strategies, government policies, and defense technologies.
  • Disruption: To weaken adversarial nations by targeting critical infrastructure or disabling key defense mechanisms.
  • Geopolitical Advantage: Focuses on regions of strategic importance, using cyber operations to complement broader national objectives.

Notable Techniques:

  • Reconnaissance: Extensive use of open-source intelligence (OSINT) to craft tailored attacks based on the habits and digital profiles of targets.
  • Credential Harvesting: Through phishing and malware, SideWinder captures credentials to access sensitive systems or escalate privileges.
  • Lateral Movement: Once inside a network, they employ tools to move laterally, identifying and compromising high-value systems.

Impacts:

  1. Data Breaches: Exfiltration of classified documents, strategic plans, and confidential communications.
  2. Operational Disruption: Temporary paralysis of critical systems, particularly in military operations.
  3. Financial and Reputational Damage: Affected entities suffer loss of trust and increased costs for remediation and security enhancements.

Key Characteristics:

  • Sophisticated Malware: Highly customized for specific operations.
  • Long-Term Campaigns: Maintains persistence for extended periods to maximize intelligence collection.
  • Regional Focus: Operates with a clear focus on adversaries in South Asia and surrounding regions.
  • Adaptability: Quickly modifies tactics to evade detection and respond to countermeasures.

Indicators of Compromise (IOCs):

  • Malicious email attachments with unusual file extensions or macros enabled.
  • Unexpected outbound connections to C2 servers hosted in uncommon locations.
  • Sudden network spikes due to data exfiltration activities.

Ice Fog

Overview:

Ice Fog, also known as the “Foggy Web Crew”, is a cyber espionage group active since at least 2011. Known for its ‘hit-and-run’ tactics, Ice Fog focuses on short-duration, highly targeted attacks designed to achieve specific objectives. Their primary targets include government institutions, defense contractors, and energy companies, primarily in East Asia, with a particular emphasis on South Korea and Japan.

Primary Targets:

  • Government Institutions: Compromising sensitive data from policy and administrative bodies.
  • Defense Contractors: Gaining intelligence on military and defense projects.
  • Energy Sector: Collecting information on critical energy infrastructures and projects.

Geographical Focus:

Primarily operates in East Asia, targeting entities in:

  • South Korea
  • Japan
  • Other nations with geopolitical ties to these regions.

Attack Vectors:

  1. Custom Malware:

    • Ice Fog uses proprietary tools to create backdoors in compromised systems.
    • The malware enables file exfiltration, keystroke logging, and system reconnaissance.

  2. Spear-Phishing:

    • Targets receive malicious emails containing attachments or links to deliver malware payloads.
    • Emails are often tailored with topics relevant to the victim’s work or region to increase effectiveness.

  3. Watering Hole Attacks:

    • Ice Fog compromises websites frequently visited by their targets and embeds malicious scripts to infect visitors.

  4. Short-Duration Campaigns:

    • The group typically carries out brief operations, collecting specific data before disengaging to avoid detection.

Objectives and Motivations:

  • Data Exfiltration: Collecting sensitive information related to national security, defense projects, or energy sector activities.
  • Intelligence Gathering: Monitoring geopolitical activities and gaining insight into governmental operations.
  • Strategic Disruption: Weakening adversaries by compromising key sectors.

Notable Techniques:

  • Custom Malware Families: Includes backdoor variants like “Fucobha” and “IKYS” designed for persistence and stealth.
  • Reconnaissance: Conducts extensive pre-attack reconnaissance to identify high-value targets and craft tailored payloads.
  • Advanced C2 Communication: Utilizes encrypted channels to communicate between compromised systems and their infrastructure.

Impacts:

  1. National Security Threats: Exfiltration of sensitive government and defense data.
  2. Disruption in Critical Sectors: Potential impact on energy operations or projects of strategic importance.
  3. Economic Damage: Intellectual property theft and competitive disadvantages for targeted industries.

Key Characteristics:

  • Hit-and-Run: Operates quickly to achieve objectives, minimizing exposure.
  • High Specificity: Each attack is tailored to the target, making detection more challenging.
  • Stealthy Operations: Employs techniques to evade traditional detection methods.

Indicators of Compromise (IOCs):

  • Unusual outbound network activity involving uncommon domains.
  • Files with abnormal names or extensions indicative of malware payloads.
  • Connections to IPs associated with compromised watering-hole sites.

Mitigation Strategies:

  • Advanced Email Filtering: Block phishing emails and suspicious attachments.
  • Behavioral Analysis Tools: Detect unusual system behavior indicative of malware.
  • Regular System Patching: Update all software and systems to close known vulnerabilities.
  • Web Traffic Monitoring: Identify unusual traffic patterns indicative of watering-hole attacks.

RAZOR TIGER

Overview:

RAZOR TIGER is a highly sophisticated cyber espionage group that targets governmental and diplomatic organizations. They are known for their stealthy and persistent operations, leveraging advanced malware and tactics to infiltrate secure networks and exfiltrate sensitive information. The group’s attacks are typically multi-phased, employing a combination of social engineering, custom malware, and zero-day exploits.

Primary Targets:

  • Diplomatic Organizations: To gather intelligence on international relations and negotiations.
  • Government Entities: To infiltrate and extract classified data from administrative bodies.

Geographical Focus:

RAZOR TIGER’s operations are believed to have a global reach, with a significant focus on:

  • North America
  • Europe
  • Asia

Attack Vectors:

  1. Spear-Phishing Emails:

    • Emails contain malicious links or documents that exploit vulnerabilities.
    • Often crafted using stolen or publicly available information about the target.

  2. Zero-Day Exploits:

    • The group actively seeks and exploits previously unknown vulnerabilities to breach networks.

  3. Water-Holing:

    • Compromises websites frequented by the target organization to deliver malware.

  4. Custom Malware:

    • Uses malware variants specifically designed for espionage, including tools for data theft and long-term network persistence.

Objectives and Motivations:

  • Espionage: Extracting sensitive political and diplomatic data.
  • Influence Operations: Gathering intelligence to influence policymaking.

Notable Techniques:

  • Multi-Stage Attacks: Uses several stages to achieve infiltration, persistence, and data exfiltration.
  • Stealth and Evasion: Adapts techniques in real time to avoid detection.
  • Sophisticated Malware Toolkits: Frequently updates malware to bypass defenses.

Impacts:

  1. Loss of Diplomatic Confidentiality: Leakage of classified communications.
  2. National Security Risks: Potential exposure of strategic governmental plans.

Key Characteristics:

  • Highly coordinated attacks with extensive planning.
  • Stealthy operations that avoid detection for prolonged periods.

Indicators of Compromise (IOCs):

  • Unusual email activity from high-ranking personnel.
  • Suspicious processes running on government endpoints.

Mitigation Strategies:

  • Train employees on recognizing spear-phishing attempts.
  • Use advanced endpoint protection tools.
  • Regularly audit system activity for anomalies.

Mirage

Overview:

Mirage is a sophisticated cyber espionage group believed to have ties to China’s People’s Liberation Army (PLA). The group is well-known for its advanced persistent threat (APT) capabilities and primarily focuses on intelligence gathering in sectors like aerospace, defense, and other high-tech industries. Their operations are characterized by long-term persistence, employing custom malware and advanced infiltration techniques.

Primary Targets:

  • Aerospace Companies: To steal cutting-edge technologies and sensitive project data.
  • Defense Contractors: To gather intelligence on military technologies and strategies.
  • High-Tech Industries: Targeting research and development information.

Geographical Focus:

  • United States
  • Europe
  • Asia
    Primarily focuses on nations with advanced technological capabilities or strategic defense initiatives.

Attack Vectors:

  1. Spear-Phishing:

    • Delivers malicious attachments or links in highly targeted emails.
    • Often impersonates trusted sources to increase success rates.

  2. Strategic Web Compromises (SWCs):

    • Infects websites commonly visited by target organizations, embedding malicious scripts to deliver payloads.

  3. Custom Malware:

    • Malware tools include remote access Trojans (RATs), keyloggers, and data exfiltration modules.
    • Designed for stealth and persistence, often evading traditional detection methods.

  4. Supply Chain Attacks:

    • Compromises third-party vendors to gain indirect access to target networks.

Objectives and Motivations:

  • Intellectual Property Theft: Acquiring advanced technologies for military or economic advantage.
  • Intelligence Gathering: Monitoring defense activities, policies, and strategic plans.
  • Geopolitical Superiority: Supporting state objectives by undermining adversarial nations.

Notable Techniques:

  • Multi-Layered Malware Deployment: Utilizes multiple stages of malware to evade detection during initial infiltration.
  • Advanced Reconnaissance: Conducts in-depth reconnaissance before launching targeted attacks.
  • Persistence and Evasion: Maintains long-term access while minimizing operational footprints.

Impacts:

  1. Technological Advantage: Loss of intellectual property to adversaries.
  2. Military Risks: Exposure of sensitive defense projects and capabilities.
  3. Economic Damage: Competitive disadvantage for targeted organizations.

Key Characteristics:

  • Strategic targeting of high-value industries.
  • Sophisticated, stealthy malware.
  • State-sponsored backing with significant resources.

Indicators of Compromise (IOCs):

  • Unusual outbound data transfer activities.
  • Phishing emails with aerospace or defense-related themes.
  • Suspicious connections to IPs known for C2 activity.

Mitigation Strategies:

  • Enhanced Email Security: Use email filtering and anti-phishing solutions.
  • Endpoint Monitoring: Deploy advanced EDR solutions to detect anomalies.
  • Threat Intelligence Integration: Monitor known IOCs and adapt defenses accordingly.

Dropping Elephant (Chinastrats)

Overview:

Dropping Elephant, also known as Chinastrats, is an advanced persistent threat (APT) group believed to operate out of China. Their focus is on high-profile defense, government, and political organizations, leveraging social engineering and custom malware for data exfiltration and reconnaissance. The group is noted for its extensive pre-attack planning and tailored operations.

Primary Targets:

  • Defense Organizations: Gathering intelligence on military capabilities and plans.
  • Government Officials: Targeting individuals to access confidential communications.
  • Political Entities: Monitoring political strategies and diplomatic exchanges.

Geographical Focus:

  • Primarily targets regions of strategic interest to China, including:
    • India
    • Southeast Asia
    • Western Governments

Attack Vectors:

  1. Spear-Phishing:

    • Deploys malicious documents or links using tailored messages.
    • Frequently leverages geopolitical or industry-specific themes.

  2. Social Engineering:

    • Exploits human vulnerabilities, using impersonation or coercion to gain access.

  3. Publicly Available Exploit Kits:

    • Combines off-the-shelf tools with custom malware to compromise systems.

  4. Custom Malware:

    • Employs lightweight malware for reconnaissance and data exfiltration.
    • Malware often adapts to the victim’s environment to avoid detection.

Objectives and Motivations:

  • Reconnaissance: Gathers intelligence on defense and political strategies.
  • Data Exfiltration: Extracts sensitive information, such as classified documents and communications.
  • Influence Operations: Tracks and potentially disrupts adversarial plans.

Notable Techniques:

  • Extensive Reconnaissance: Builds detailed profiles of targets before launching attacks.
  • Layered Social Engineering: Exploits interpersonal trust within organizations.
  • Blended Attack Methods: Combines spear-phishing with malware to maximize effectiveness.

Impacts:

  1. Compromised Confidentiality: Loss of sensitive defense and political data.
  2. Increased Threat Awareness: Targets often become wary of engaging in digital communications.
  3. Potential Disruption: Ability to weaken adversaries through exposure or interference.

Key Characteristics:

  • Heavy reliance on social engineering.
  • Blends widely available tools with custom capabilities.
  • Operations are methodical and precise, with a focus on high-value data.

Indicators of Compromise (IOCs):

  • Suspicious emails referencing high-profile geopolitical events.
  • Malicious documents containing macros or embedded links.
  • Sudden, unexplained data transfers during non-business hours.

Mitigation Strategies:

  • User Awareness Training: Teach personnel to recognize phishing and social engineering attempts.
  • File Scanning: Automatically scan attachments for malicious content.
  • Network Segmentation: Limit access to sensitive data to minimize damage from breaches.
Access Demo