How Pakistani APT SideCopy Phished Indian Government Employees: Lessons and Defense Strategies

Phishing is the technique that nation state operators reach for first, not last. It is cheap, it scales, and it targets the layer of any organisation that cannot be patched: the human reading the email. Indian government agencies have been a sustained target of this technique for years, and the APT group SideCopy has been one of the more persistent operators in the region.

This case study breaks down the SideCopy phishing campaign that targeted India's National Investigation Agency (NIA), the social engineering decisions inside the bait, and the defenses that would have broken the chain.

TL;DR

1. SideCopy is a Pakistan aligned APT active since 2019, focused on Indian government and defense.
2. The NIA campaign used a court martial themed lure to drive credential capture from a cloned Ministry of Defence portal.
3. The attack succeeded because the bait was timely, the landing page was a near pixel match, and there was no enforced out of band verification.
4. Defenses that would have broken the chain: DMARC at p=reject, FIDO2 MFA, and a single sentence rule against entering credentials on any link arrived by email.

Who is SideCopy

SideCopy is a Pakistan aligned advanced persistent threat group, active publicly since 2019. The group is known for espionage operations against South Asian targets, with a heavy focus on Indian government, defense, and critical infrastructure. Their tradecraft borrows from another regional APT but they have built their own implant family over time, including custom remote access trojans like Action RAT and AllaKore RAT variants.

Their preferred initial access vector is phishing, almost always delivered as a themed lure that matches the target's job context. The implants land on click, the operators stay quiet for weeks, and the exfiltration is patient.

The NIA campaign, walked through

The bait

The phishing email was crafted to appear to come from the Ministry of Defence and was sent to government officials whose duties touch court martial proceedings. Three details made the lure credible:

1. Sender alignment. The address spoofed a legitimate looking Ministry domain. Without a strict DMARC posture on the impersonated domain, the spoof passed standard checks.
2. Subject line. "Important Notification Regarding Court Martial Proceedings" matched the language and tone of authentic Ministry communications.
3. Emotional hook. The body claimed that a "Comprehensive Guide for Officers Undergoing Court Martial Proceedings" had been published, and that recipients were on a list of personnel whose status required verification. The implication that the recipient might be on a court martial list, even by error, is enough to drive a click in seconds.

The landing page

Clicking the verification link routed the recipient to a near pixel match clone of the Ministry of Defence portal. Three details mattered:

1. The visual design was authentic enough that a busy officer scanning the page would not pause.
2. The download button surfaced a file with a professional name that fit the theme.
3. Triggering the download surfaced a credential prompt, which is where the actual capture happened.

The credential capture page also harvested second factor codes from any victim who entered them, which is exactly why basic OTP based MFA does not stop this attack class.

The post compromise stage

Once captured, credentials were used for further reconnaissance and lateral movement inside the agency network. Operators paired the credential access with social engineering follow ups (phone calls, follow up emails) to deepen access.

Why the chain held

Three failures, in order of impact:

1. No enforced DMARC across the impersonated domain. A strict policy would have made the spoofed sender land in the spam folder or be rejected outright.
2. OTP based second factor. OTPs are phishable in real time using AiTM proxies, and the attack we observed harvested them on the same page.
3. No "never enter credentials on a link from email" rule. If officers had been trained that a credential prompt arriving from a link in an email is, by policy, a phishing attempt, the click would have been the limit of the damage.

Defenses that would have broken the chain

Email side

1. DMARC at p=reject on every owned and adjacent domain, with strict alignment. This is the single highest leverage email control. Free to deploy if your mail platform is modern.
2. Inbound impersonation detection that flags external mail with display names matching internal executives or impersonated authority figures. Most modern mail security stacks do this.
3. Banner injection for any external email, especially those mentioning urgency, money, credentials, or compliance.

Identity side

1. Phishing resistant MFA (FIDO2 / WebAuthn) for any account with access to sensitive data. Push and SMS factors are not enough against AiTM proxies.
2. Short lived tokens and conditional access that limit what a stolen session can do.

Human side

1. A single, clear, written rule that staff never enter credentials into any page reached by clicking an email link. If the page is genuine, the user can navigate to it through a bookmark or by typing the address.
2. Phishing simulations using current adversary tradecraft, including themed lures relevant to the user's role. Generic simulations train people to recognise generic phish, which is not what they are receiving.

Detection and response

1. Visibility into login origin and device hygiene. A login from an unfamiliar IP block, on an unmanaged device, immediately following an email click should be a high priority alert.
2. A clear playbook for credential exposure that includes session revocation, forced rotation, and a forensic look at what the account did in the window before the alert.

What this campaign teaches

Three lessons travel from this case study to almost any organisation, government or otherwise.

1. The attacker is patient. The defender has to be patient too. SideCopy spent time researching the NIA's organisational context, the language of court martial proceedings, the visual identity of the impersonated portal. A defender who runs a six month phishing awareness program once a year is not engaged in the same time horizon as the adversary.

2. The bait succeeds because of relevance, not sophistication. There is nothing technically advanced about this email. The advanced part is that the operators understood their target audience and built a plausible reason to click. Defense must treat every role with public visibility (executives, finance, communications) as a high value target by default.

3. Identity is the new perimeter. The chain in this case ran from email to a credential prompt to authenticated access in less than five minutes. Anything you cannot do in those five minutes, you cannot do at all. That is why phishing resistant MFA, conditional access, and short lived tokens are the controls that move the needle.

Closing note

The NIA campaign is one example of a pattern that is now permanent. Indian government adjacent organisations should expect themed phishing operations from Pakistan aligned APTs to continue, evolve, and increasingly use AI to scale.

If you run an organisation in this threat surface and want to test your team against the same kind of operation under controlled conditions, we offer end to end phishing exercises as part of red team programs. Request a briefing.