Tuesday, 11 March 2025: Kaspersky researchers have tracked a shift in focus for the infamous advanced persistent threat (APT) group SideWinder toward nuclear power facilities in South Asia. This signals a significant escalation in targeted espionage. The threat actor has simultaneously expanded operations across Africa, Southeast Asia and parts of Europe.
Kaspersky's Global Research and Analysis Team (GReAT) has documented a concerning two-pronged threat from the SideWinder APT group, which now shows a heightened focus on nuclear power plants and energy facilities across South Asia. This nuclear pivot runs parallel to the group's geographic expansion beyond its conventional arenas.
Active since at least 2012, SideWinder has historically targeted government, military and diplomatic entities. The group has broadened its victim profile to include maritime infrastructure and logistics companies throughout Southeast Asia, while setting fresh sights on nuclear sector targets. Kaspersky researchers noted a spike in attacks aimed at nuclear power agencies that use spear-phishing emails and malicious documents laden with industry-specific terminology.
Tracking SideWinder across 15 countries and three continents, Kaspersky observed numerous attacks in Djibouti before the group shifted focus to Egypt and launched additional operations in Mozambique, Austria, Bulgaria, Cambodia, Indonesia, the Philippines and Vietnam. Diplomatic entities in Afghanistan, Algeria, Rwanda, Saudi Arabia, Türkiye and Uganda have also been targeted, further illustrating SideWinder's move well beyond South Asia.
"What we're witnessing is not just a geographic expansion but a strategic evolution in SideWinder's capabilities and ambitions," said Vasily Berdnikov, lead security researcher at Kaspersky's GReAT. "They can deploy updated malware variants with remarkable speed after detection, which transforms the threat landscape from reactive to nearly real-time combat."
Despite relying on an older Microsoft Office vulnerability (CVE-2017-11882), SideWinder leverages rapid modifications to its toolset to evade detection. In targeting nuclear infrastructure, the group crafts convincing spear-phishing emails that appear to concern regulatory or plant-specific matters. Once opened, these documents initiate an exploitation chain that can grant attackers access to nuclear facilities' operational data, research projects and personnel details.
Kaspersky protects organisations from such attacks through multiple security layers, including vulnerability management solutions, early-stage attack prevention, real-time threat detection with automated response and continuously updated detection rules aligned with SideWinder's evolving malware.
The full technical analysis of SideWinder's latest operations is available on Securelist.com.
To help organisations protect their critical infrastructure against sophisticated targeted attacks, Kaspersky recommends the following measures:
- Implement comprehensive patch management. Kaspersky Vulnerability Assessment and Patch Management provides automated vulnerability detection and patch distribution to eliminate security gaps in your infrastructure.
- Deploy multi-layered security solutions with real-time threat detection capabilities. Kaspersky Next XDR Expert aggregates and correlates data from multiple sources using machine-learning technologies for effective threat detection and automated response to sophisticated attacks.
- Conduct regular cybersecurity awareness training for employees, with a special focus on recognising sophisticated spear-phishing attempts.
