A suspected Pakistan-backed hacker group, Transparent Tribe, is reportedly behind a cyber attack campaign dubbed ‘Operation Sidecopy’. The campaign is a coordinated attempt to steal critical infrastructure and strategic data by sending phishing emails and using remote access malware that can escalate its privilege in compromised systems, and in turn, infiltrate a computer to steal critical information from it. According to cyber security researchers at Seqrite, the cyber security solutions arm of Quick Heal, the signature tools used in Operation Sidecopy indicates the involvement of Transparent Tribe, a hacker collective based in Pakistan, which Seqrite believes is being backed by China to gather intelligence against India.
Speaking to News18, Himanshu Dubey, director of Quick Heal Security Labs, affirmed that alongside the Operation Sidecopy cyber attacks being continuously observed since 2019, they are also highly targeted towards India in nature. “Till now, this attack has been only seen targeting India. The Tactics, Techniques and Procedures (TTPs), as well as Decoy documents that we analysed, were crafted specifically in Indian context,” he says. At the centre of these attacks is data theft, which uses phishing emails that contain attachments with convincing file names and email addresses to trick them into downloading the attachments. These files are specifically sent to trick personnel in the Indian defence forces who have access to highly sensitive information, and hence represent a major threat to national security.
One of the signature traits that Seqrite believes can be traced to Pakistan’s Transparent Tribe is the remote server hosting that the collective uses. According to researchers Kalpesh Mantri, Pawan Chaudhari and Goutam Tripathy at Seqrite, Operation Sidecopy uses Contabo GmbH to host the remote server through which the malware is commanded and data inflow is controlled, which Transparent Tribe is reported to have done previously as well. The hackers are seemingly developing new and updated malware modules, and deploying these updated variants to fly under the radar of most cyber security layers, hence suggesting an advanced, targeted cyber crime campaign against India.
Explaining the Pakistan and China link in the series of cyber attacks observed, Quick Heal’s Dubey says, “We have considered several factors such as infrastructure used for command servers, registered domain naming patterns and recently created domains, command and control server names are similar to the names used by APT36 in past, and APT36’s history of attacks targeting Indian defence organisations. Also, one domain that hosted HTML stager applications is registered to a user in Rawalpindi, Pakistan.” More information about the parameters of the attack can be found in Seqrite's white paper on Operation Sidecopy, which can be accessed here.
Dubey affirms that all of Seqrite’s findings under Operation Sidecopy have been shared with Indian government officials to help them take appropriate cyber security measures and prevent loss of critical information. The geopolitical conflict between India and China have seen a considerable rise in cyber attacks in recent times, with China targeting key sectors for data, as well as using mass cyber surveillance to infiltrate public narratives in India. With Pakistan hackers seemingly involved in the process, it is not clear if the cyber attack campaign has already caused loss of significant data for India, and how the threat is being curtailed. Even without Pakistan's involvement in the matter, the level of threat remains consistent with China's increased focus on targeting critical sectors in India.