The South Asian Port Authority fell victim to a targeted cyber espionage campaign by the Sidewinder APT group, which leveraged spear-phishing emails disguised as maritime safety protocols. Employees unknowingly opened malicious documents exploiting CVE-2017-0199 and CVE-2017-11882—critical vulnerabilities in Microsoft Office’s Equation Editor—allowing attackers to execute arbitrary code and deploy backdoor tools for persistent network access.The breach resulted in unauthorized network infiltration, with potential data compromise—though the exact scope of exfiltrated information (e.g., operational logistics, employee records, or classified maritime data) remains undisclosed. Given the APT’s history of espionage, the attack likely aimed at strategic intelligence gathering, disrupting port operations, or facilitating future supply-chain attacks. The exploitation of legacy vulnerabilities suggests poor patch management, while the phishing success indicates insufficient employee cybersecurity awareness.While no immediate operational shutdowns or public safety threats were reported, the incident poses long-term risks to regional maritime security, trade integrity, and geopolitical stability—particularly if stolen data includes sensitive cargo manifests, defense logistics, or critical infrastructure details. The attack underscores the vulnerability of port authorities as high-value targets for state-sponsored cyber operations.
Source: https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
TPRM report: https://www.rankiteo.com/company/port-qasim-authority
"id": "por411092125",
"linkid": "port-qasim-authority",
"type": "Cyber Attack",
"date": "6/2017",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'maritime/transportation',
'location': 'South Asia',
'name': 'Unnamed South Asian Port Authority',
'type': 'government agency'}],
'attack_vector': ['spear-phishing',
'exploitation of vulnerabilities (CVE-2017-0199, '
'CVE-2017-11882)',
'malicious documents (decoy)',
'backdoor deployment'],
'data_breach': {'data_exfiltration': True},
'description': 'The Sidewinder APT intensified its cyber espionage operations '
'in 2024 by targeting maritime facilities across multiple '
'regions. A South Asian port authority was compromised via '
'phishing emails containing counterfeit maritime safety '
'protocols, leading to unauthorized network access and '
'potential data compromise. The attack involved spear-phishing '
'campaigns exploiting vulnerabilities (CVE-2017-0199, '
'CVE-2017-11882) in Microsoft Office’s Equation Editor to '
'deploy backdoor tools via malicious decoy documents.',
'impact': {'data_compromised': True,
'systems_affected': ['network systems',
'potentially operational systems']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['phishing emails (counterfeit '
'maritime safety protocols)',
'malicious documents (Microsoft '
'Office Equation Editor '
'exploitation)'],
'high_value_targets': ['maritime facilities',
'port authority networks']},
'motivation': ['cyber espionage',
'data exfiltration',
'intelligence gathering'],
'post_incident_analysis': {'root_causes': ['successful spear-phishing '
'campaign',
'exploitation of unpatched '
'vulnerabilities (CVE-2017-0199, '
'CVE-2017-11882)',
'lack of user awareness for decoy '
'documents']},
'threat_actor': 'Sidewinder APT',
'title': 'Sidewinder APT Cyber Espionage Campaign Targeting Maritime '
'Facilities (2024)',
'type': ['cyber espionage', 'unauthorized access', 'data compromise'],
'vulnerability_exploited': ['CVE-2017-0199', 'CVE-2017-11882']}