Indian cyber security firm Phronesis likely behind Bitter and Sidewinder APT

In the wake of growing cyber warfare activities, cyber domain has become one of the most conflicting sectors. Every country is preparing for large-scale, nation-backed attacks.

India has also bolstered its cyber game. In doing so, the country has laid down protocols for prevention and audit to secure the critical infrastructures. Moreover, it has also increased its offensive cyber building by promoting private actors and firms offering advanced services.

The research and engineering team of Texas-based cyber security company, Halcyon, released a report recently on Cloudzy,a command-and-control provider (C2P) to advanced persistent threat (APT) groups. The report highlighted Cloudzy’s tie-ups with governmental entities in China, Iran, North Korea, Russia, India, Pakistan, and Vietnam.

Cybersecurity firm Halcyon also details how the internet service provider Cloudzy accepts cryptocurrency in exchange for the anonymous use of technological services used to carry out cyberattacks.

Cloudzy operates as a legitimate business with Twitter and LinkedIn profiles. The company’s CEO, Hannan Nozari, is active on several social media sites but did not respond to requests for comment about the report’s findings. The company claims to be located in the U.S., but according to researchers, is actually based in Tehran, Iran.

Halcyon found a web of government-sponsored APT groups, criminal syndicates, and the commercial spyware vendor,Candiru, all using Cloudzy infrastructure.

They include Chinese government groups like APT10 and Dragon Castling; India’s Sidewinder and Bitter; Iran’s APT34 and APT33; North Korea’s Kimsuky and Konni; Pakistan’s TransparentTribe; Russia’s Nobelium and Turla; and Vietnam’s APT32.

Both SideWinder and Bitter APT have been plaguing governments and enterprises in South Asia and East Asia since 2012.

Chinese cybersecurity company,Antiy, had fully analyzed the samples of the Confucius group’s attacks and found that the hackers shared tools and codes with another APT group, SideWinder.

According to blackberry report,BITTER and CONFUCIUS bear all the hallmarks of government-sponsored resources and targeting priorities. Their operations reveal a mature skillset that fluently interweaves both desktop and mobile malware, as well as infrastructure and delivery methods for each.

The researchers also concluded that Phronesis, an Indian cybersecurity firm founded by former Indian military officers, is likely involved with one or more of the activity sets which include APT groups known as PATCHWORK, CONFUCIUS, URPAGE, HANGOVER, DONOT/EHDEVEL, and SNAKE IN THE GRASS.