SideWinder Espionage Group Targeting Nigerian Maritime, Government, Telecommunications, and Financial Sectors

Advisory ID: NCC-CSIRT-2025-003

Summary: 

The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) wishes to inform critical stakeholders and constituents across the telecommunications, maritime, logistics, financial, and public sectors of an escalating cyber threat posed by SideWinder Advanced Persistent Threat (APT) group also known as T-APT-04 or RattleSnake, a sophisticated cyber espionage group operating primarily from the Indian subcontinent. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Microsoft Office documents and XML files

Description: 

SideWinder employs spear-phishing as its primary attack vector, leveraging malicious Microsoft Office documents and Open Extensible Markup Language (XML) files embedded with exploit code. A known exploit includes the memory corruption vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882).

Their malicious toolkit includes:

• StealerBot – used for credential theft and sensitive data exfiltration.
• Advanced Remote Access Trojans (RATs) – enabling persistent backdoor access to victim systems.
• Command-and-Control (C2) Infrastructure – often hidden via encrypted tunnels and obfuscated traffic.

Consequences:  

• Compromise of sensitive data and classified government information.

• Disruption of maritime logistics and operational technologies.

• Threats to national critical infrastructure, including telecommunications and banking networks.

• Long-term surveillance and unauthorized network access.

Solution:  

 To mitigate the identified threat, the following steps are recommended: 

• Immediately apply security updates to Microsoft Office applications, particularly to mitigate CVE-2017-11882 and other known vulnerabilities.

• Use the latest supported versions of all software applications.

• Deploy advanced email security gateways with attachment and link scanning capabilities.

• Enable attachment sandboxing and disable automatic execution of macros.  

• Conduct regular employee awareness sessions on phishing identification and reporting procedures.

• Encourage verification of suspicious emails, especially those requesting credentials or urging urgency.

• Employ Endpoint Detection and Response (EDR) tools capable of detecting malware signatures associated with StealerBot and RATs.

• Enable logging and continuous monitoring of endpoint activities.

• Segment critical networks from general-purpose IT environments.

• Enforce least-privilege access policies and implement multifactor authentication (MFA).

• Review and update documented procedures and workflows used during cybersecurity incident response.

• Ensure rapid communication channels with NCC-CSIRT for threat reporting and coordination.

• Proactively monitor for Indicators of Compromise (IoC) associated with SideWinder campaigns.

References:

• https://cyberpress.org/sidewinder-apt-hackers-attack-military-government/

• https://thehackernews.com/2025/03/sidewinder-apt-targets-maritime-nuclear.html

• https://www.group-ib.com/media-center/press-releases/sidewinder-apt-report/

• https://attack.mitre.org/groups/G0121/

• https://securityonline.info/sidewinder-apt-a-decade-of-evolution-and-global-expansion/

• https://undercodenews.com/sidewinder-apt-expanding-operations-with-enhanced-cyberattack-tactics/

• https://cybersecuritynews.com/sidewinder-apt-group-attacking-military-government-entities/

• https://rewterz.com/threat-advisory/sidewinder-apt-targets-maritime-nuclear-and-it-sectors-across-asia-the-middle-east-and-africa-active-iocs