Cyber attack on Indian Ocean and Mediterranean maritime assets

The BlackBerry Research and Intelligence Team has discovered a new cyber espionage activity that targeted ports and maritime facilities in the Indian Ocean and the Mediterranean Sea in countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. The threat actor, SideWinder, is believed to be affiliated with India and exploits spear-phishing techniques via email in an attempt to circumvent detection and distribute targeted attacks. The attacks are targeted to hurt people’s emotions, exploiting issues such as layoffs, and salary cuts to induce recipients to open files. Once opened, the “decoy file” exploits a known security breach (CVE-2017-0199) to make contact with a malicious domain posing as the Pakistan Ports and Shipping Directorate to retrieve an RTF file. The RTF document, in turn, downloads a document that exploits another Microsoft Office security vulnerability, to run the shellcode responsible for starting the JavaScript code: at the moment it is not known what is being transmitted via JavaScript malware although it is likely that the ultimate goal is to gather information based on previous campaigns conducted by SideWinder.