GOVERNMENT OF PAKIST

CABINET SECRETARIAT
CABINET DIVISION
No 1-5/2003 (NTISB-II) i'NTISB)
I d. the 24th August, 2023-
Subject: L
'.:yper Securily Achijaam2. Patchwork Art I
No, 491 AFT GrouplAslyisrL

Context.
Advanced Persistent Threat (APT) groups
onymous W;,-eat actors
attacking Cyber/IT infrastructure of other states to gain unau
d access/ingress iovhiie
remaining undetected for an extended period of time. Usual
e groups devrnrkr,
Bitter, DoNot etc.) are Indian state sponsored that often targ
stan's Mili.ary árd •
IT setups. Recently,
Patchwork (an Indian APT group) h
Vely targeted
and Pakistan State Institutions for data exfiltration. In this reg
ofile, 306;amc•:•.
indicators of compromise (loCs) and preventive measures
2.
ay
PatchWork Indian APT Gr_onn, *
a
PatchWork (also known as Mahe
nci White' [.'',-, phan
an Indian APT group present in Cyberspace
015. The LT
came into limelight in 2017 when various yb
security f re.arc ,
,
identified its modus operandi and nefarious operati

Modus cl_ggranch. Patchwork prirra:ti trgit

Regi ai
uses spear phishing ernails, whaling, social engihe
g and m q
techniques (crafted malicious email& lake ratin
ites ap ari
legitimate to gain users trust and SM links to
ad maliq us
apps) to execute Cyber-attacks on regional co
includth PYrnt
and China.
Illalwas&k
c loititoSai
Android RAT
Bad News RAT
File Stealer Malware Delphi
C&C Servers. Following dojaiis/assco::' -
during investigation:
Ser
Domain
(1) Filepiece.com
_
Techwatch.corn
hBingoplant.live
 Malicious hmentiDocu ents

Ser MDS

4be2d8609f83d10171a411059
(2) 90528e654de20159859ca1 5b

(3) 5 4t6s17b8O83d540f274f16O38C6df
(4) bff7da03f5555ecc9931d0c700

The C&C 4 e:s URLs may be processed for blocking at local firewalls.

Preventive Mea An APT group may frequently change its techniques,

acttcs and predures ,w-ver, phishing email remains initial entry point for malicious
heYefore, fe Iireentive measures (but not limited to) are:

uidelines

are personal details and credentials With unauthorized/

s users, websites, applications etc.

Ne tall unknown and suspicious applications.

H eVer click on unknown links and attachments.

URLs in browser itam than elleking on links.
;1r
Alviays 6pen websites with https and avoid visiting http websites.

NeVier use personal accounts on official systems.

Do not follow web links in ernails to avoid Social Engineering and
nishing Attacks. Train users to recognize and report phishing
aLt9mpt5.

;(8) U njlti-factor authentication (MFA)/two-factor authentications

fl ossible
y review applications permission, system running processes
age utilization.
10) U j repted and licensed business email gateways, anti-phishing
a an -spar .1 solutions
(11) A ys can every document before opening/downloading via built-
in irus on mailing servers.

1(12) A ion whitelisting be ensured by allowing only specified

a ca ions to run and block all other applications.
. (13) Ofrhi ations should have a timely vulnerability detection and patch
agpment program in place.
 givtc4. rnt, - •,^"*.%

(14) End-point protection systems to be

updatedIan
Defender should always be active to
is hindered, that malware'

Timely update all applications and pe

mobiles etc) ting syse msilt
•

Use separate and complex password h syst

accounts, financial and mailing accou

Disable execution of PowerShell/Co

line foe 10r
through Access controi and Active Dir

Auto execution of VBScripts should bled an

files should never he rAickediupc:rtod.
,
Use well reputed and updated anti-vinis/a alwar
mobile pi" (

(20) Disable macros on documents (MS Exc

etc. PowerP%
t
Anti-Masquerading Guidelines Administra

(1) Monitor networks including file hashe locations , 10i

unsuccessful login attempts.
(2) Use reputed firewalls, 1PS/ID5 and SIE ons.
(3) Use separate servers/routing for offline
d onlinJiet
(4) Restrict incoming traffic and user's per
s to magimir
by implementing system hardening at
level. IOS and': eppticatitin
,
(5) Allow internet access to specific usersIn
d basis :an
data usage/applications rights.
(6) Verify software and documents before d n
signing technique. ding via dictitif.

Implement MFA in mailing system's admi

critical systems • Ii t, r controls aed.other

Regularly change passwords at administr tcri ye I.

Users

Always re-verify trusted user who has

mail/attach, tent
secondary means (call, SMS, verbal) befo nloading,
Report any suspicious activity to aciministr
mediateiy
Never keep critical data on online systems
ore it in and
systems.
 ,I) Al s cireate a back-up of critical data and store in external drives
or hdilone systems.
Ke 'tildrig passwords on BIOS, OS level, drives (via bit locker).
locking 41111licious Domains/URLs. Block all malicious

bmains, Lland hashes of documents at firewall/network including APT

atchWo gye access to latest hacking threat intelligence forums and
eds omo n update with attacker's innovations regarding evasion

chniqu
• rting malware. cyber incident, suspicious email attachment
co a
,
sefr forwar same (without downloading) on email address:

74Loton.

jdljdisse the above information to all concerned in your

organiZations, all ed/affiliated departments and ensure necessary

protective measures

(Mghpammad li rr4an Tang)

Assistant Secreta y (WISE)
Ph# 051-920 560

Seitre ..artr):::, of I, tries/Divisions of the Federal Government and Chief

reties f the Pr al Governments

ecreta o 4e Prime Minister, Prime Minister Secretariat, Islamabad

ecreta e President, Aiwan-e-Sadar, Islamabad
abinet ftcr4tary, Cabinet Division, Islamabad
Addition retary-III, Cabinet Division, Islamabad
1,r;t4: 5. Director ral (Tech), Dte Gen, ISI Islamabad
ot.
DirectorCabinet Division, Islamabad
 GOVERNMENT OF PAKIS
CABINET SECRETARI
CABINET DIVISION
jNTISB)
1-5/2003(59)/NTISB-11
bad, the: 2
Subject: cyber Attacks

Lately, there has been a troubling patte

re Advanced il'ersisi:em
Threat (APT) groups are directing their focus towards i
ng Pakistarrs ;ys.,.7.(; -ris
and infrastructure. In a recent incident, an Advanced er
ent Threa API gro:tim,
. known as "Bitter APT" made
an attempt to hack th Site of an Enrtr:ass:
Islamabad. APT group carried
out this cyber-affack th compromised
specifically a hacked email
account. These cyber have .ras.;e0 sers,Js
cybersecurity concerns as they pose a significant r
sensitive
. aata, cim!cal
services, and national security. The primary reason beh
se incidents apsisa--: to
be the lack of adequate cybersecurity safeguards in most
organizations::
2.
It is worth mentioning that all Governmen :zations are re:Soori.sy
for ensuring and implementing Cyber Security measure* i
eir resnecrive
therefore cautious approach needs to be adopted by al:.
3..
The Cabinet Division (NTISB) proposes the
ng measures.ii - ;er
for all the
Federal Ministries/Divisions/Provincicl Gov
s, affiliated/aqachthd -
departments, autonomous bodies and sectoral regula
effectively protect th&r
critical data and infrastructure:
a. Official documents be shared only t
secure channels and,.
devices approved by the organizat
fficial cemmOnication
. ,
should not be carried out by persona I media aacco:nts ike
WhatsApp, personal emails etc. Appro
olicies anci p
be developed and reinforced by the org
ans for ell QM
which may include blocking WhatsA
d other iuna.
communication platforms on the organi t:
Internet nelim :
b. Service Level Agreements (SLAs) b
lished for the °mai!
..j
domain services to ensure reliable
cure commuRication.
Responsibilities outline/responsibilities
uptime expeCtatioris

?Ik
 security measures and support prot
o maintain dare ntenirty
and smooth operations be included in
Any unknown attachments should riot
opened on an official
device. Email authenticity be verified
nd up-to-data securibi
measures be ensured.
Usage of third party free and cracked o e be avOideddLicense
and up-to-date malware and virus pro softwar be ta
official computers/laptops/mobile phon
To add an extra layer of security and t unaut riz
Two-Factor Authentication (2FA) mpleme ed
possible, especially for critical applicati d systeths
For email security, following me . 3/4
be adopteclt by
organizations:
Implementation of "Do based Message
Authentication, Reporting an
formanCe (DMARC)"'
for all domains to prevent email
poofing end phishing
attacks. ;

Enabling Doman? Keys !creme

all (DKIM) -tO ferny
email authenticity and detect tarripe etc.
Email security vulnerabilities arly ex4osa$ P qF3
services on non-SSL ports b diately Iddrssbd
enforcing SSLJTLS encryption. ;
g. Installation of robust network firewall
organization's requirements
h. MAC binding be enabled on the ne
nfrastr
specific MAC addresses to their corresp devices,r,
A centralized logging and correlation nism b
facilitate incident forensics and trail tracinb

5.
All Federal Ministries/Divisions/Provincial Gove
ts, affili
departments, autonomoui bodies and sectoral regulators are
cted to:,
above mentioned recommendations and adopt cautiou
vior ir
prevailing cyber threats and their consequences.
 6. This issues with the approval of the compet hority

Lieuteri4tcjn
Muhamma
puty SeCi.'eta Se

Ali Secretaries of Ministries/Divisions of the Fede

Secretaries of the Provincial Governments vernment p,ki Chief

Copy to: -

Mr. Nazar Muhammad Bozdar, Additional Secretary-I,

e Minister's Officet
Prime Minister Secretariat, Islamabad
• ,

tel

. .
I• ?a
.i.
.. 4.
,.,