Kaspersky GReAT uncovers SideWinder APT's pivot to nuclear infrastructure targets

Kaspersky’s Global Research and Analysis Team (GReAT) has documented a concerning two-pronged threat from the SideWinder APT group, which now shows a heightened focus on nuclear power plants and energy facilities across South Asia. This nuclear pivot runs parallel to the group’s geographic expansion beyond its conventional arenas.

Active since at least 2012, SideWinder has historically targeted government, military and diplomatic entities. The group has broadened its victim profile to include maritime infrastructure and logistics companies throughout Southeast Asia, while setting fresh sights on nuclear sector targets. Kaspersky researchers noted a spike in attacks aimed at nuclear power agencies that use spear-phishing emails and malicious documents laden with industry-specific terminology.

Tracking SideWinder across 15 countries and three continents, Kaspersky observed numerous attacks in Djibouti before the group shifted focus to Egypt and launched additional operations in Mozambique, Austria, Bulgaria, Cambodia, Indonesia, the Philippines and Vietnam. Diplomatic entities in Afghanistan, Algeria, Rwanda, Saudi Arabia, Türkiye and Uganda have also been targeted, further illustrating SideWinder’s move well beyond South Asia.

“What we’re witnessing is not just a geographic expansion but a strategic evolution in SideWinder’s capabilities and ambitions,” said Vasily Berdnikov, lead security researcher at Kaspersky’s GReAT. “They can deploy updated malware variants with remarkable speed after detection, which transforms the threat landscape from reactive to nearly real-time combat.”

Despite relying on an older Microsoft Office vulnerability (CVE-2017-11882), SideWinder leverages rapid modifications to its toolset for evading detection. In targeting nuclear infrastructure, the group crafts convincing spear-phishing emails that appear to concern regulatory or plant-specific matters. Once opened, these documents initiate an exploitation chain that can grant attackers access to nuclear facilities’ operational data, research projects and personnel details.

Kaspersky protects organizations from such attacks through multiple security layers, including vulnerability management solutions, early-stage attack prevention, real-time threat detection with automated response and continuously updated detection rules aligned with SideWinder’s evolving malware. 

The full technical analysis of SideWinder's latest operations is available on Securelist.com.

To help organizations protect their critical infrastructure against sophisticated targeted attacks, Kaspersky security experts recommend the following measures:

• Implement comprehensive patch management. Kaspersky Vulnerability Assessment and Patch Management provides automated vulnerability detection and patch distribution to eliminate security gaps in your infrastructure.
  
• Deploy multi-layered security solutions with real-time threat detection capabilities. Kaspersky Next XDR Expert aggregates and correlates data from multiple sources using machine-learning technologies for effective threat detection and automated response to sophisticated attacks.
  
• Conduct regular cybersecurity awareness training for employees, with a special focus on recognizing sophisticated spear-phishing attempts.
  

About the Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.