Modern Maritime Pirates: How Hackers Target Cargo Ports

A research team from BlackBerry has uncovered a new campaign by the well-known hacker group SideWinder, which is now using updated infrastructure and techniques to compromise victims. Data analysis revealed that this new malicious operation is targeting ports and maritime facilities in the Indian Ocean and the Mediterranean Sea.

The hackers are using phishing emails featuring logos and themes specific to ports in Pakistan, Egypt, and Sri Lanka, as well as subdomains indicating additional targets in Bangladesh, Myanmar, Nepal, and the Maldives. The goal of these attacks is espionage and intelligence gathering.

SideWinder, also known as Razor Tiger, Rattlesnake, and T-APT-04, has been active since 2012 and is believed by researchers to have direct ties to India. The group has previously attacked military, government, and business entities, focusing on Pakistan, Afghanistan, China, and Nepal.

For their attacks, SideWinder uses targeted phishing methods, exploitation of office documents, and DLL Sideloading. The campaign typically begins when a victim downloads and opens an infected document, which has a low detection rate on VirusTotal, triggering the next phase of the attack.

The fake documents used in these attacks appear to be legitimate files from official organizations. In one attack, documents mimicked port infrastructure paperwork, including those from the Port of Alexandria in the Mediterranean and the Red Sea Port Authority.

The purpose of these documents is to provoke strong emotions in the victim, such as fear or anxiety, prompting them to open the file immediately. For example, fake emails included phrases like “employee layoffs” and “salary reductions,” distracting the victim from any suspicions.

Technical analysis showed that SideWinder exploits the CVE-2017-0199 vulnerability in Microsoft Office for the initial system compromise. The malicious documents contain URLs leading to hacker-controlled sites, where additional malicious files are downloaded.

The next stage of the attack involves downloading an RTF file that exploits the CVE-2017-11882 vulnerability, including shellcode to check the victim’s system. If the system is suitable, the program decrypts and runs JavaScript code, downloading the next stage of the attack from a remote server.

Researchers identified domains and IP addresses used for SideWinder’s command-and-control infrastructure, including an old Tor node to mask traffic analysis.

Researchers continue to monitor the group’s activities and publish indicators of compromise (IoCs) to help organizations defend against SideWinder attacks. To prevent such attacks, it is recommended to keep security systems up to date, train employees to recognize phishing attempts, and implement advanced email filtering and threat detection solutions.