A report by cybersecurity intelligence firm BlackBerry said a Pakistan-linked hacker group has been targeting key parts of India’s government, defense and aerospace sectors. Categorised as an advanced persistent threat (APT), the group, known as Transparent Tribe, has been targeting Department of Defence Production (DDP) customers, particularly those in the aerospace sector, through phishing emails. “Transparent Tribe’s targeting during this time has been highly strategic. The group’s primary focus during this period has been the Indian Defence Forces and state-owned defence contractors. Historically, the group has primarily engaged in intelligence gathering operations against the Indian military,” the report said.
BlackBerry reported that it discovered the group’s activity through ongoing hunting activities across the Asia-Pacific region, with malicious attempts occurring between late 2023 and April 2024. Targets, whose names were not disclosed, included one of Asia’s largest aerospace and defense companies, a state-owned aerospace and defense electronics company, Asia’s second-largest earthmoving equipment manufacturer, and key figures within the DDP.
It is unclear how successful the cyberattack was, or the amount and nature of documents extracted, but BlackBerry expects the group to remain active. The report also states that the group has rapidly adapted and evolved its toolkit over the past few years.
“Our investigation reveals that Transparent Tribe is relentlessly targeting critical sectors vital to India’s national security. The threat actor continues to utilize a core set of Tactics, Techniques and Procedures (TTPs) that it has adapted over time. The group’s evolution in recent months has primarily revolved around the use of cross-platform programming languages, open-source attack tools, attack vectors and web services,” BlackBerry said.
Modus operandi:
“Based on the sample set we have examined, Transparent Tribe primarily employs phishing emails as a delivery method for its payloads, leveraging either malicious ZIP archives or links,” the report states. The payload then installs a program on the target system that extracts documents.
BlackBerry also discovered a new “all-in-one” spy tool, a downloader that, when executed, retrieves two files: a PDF that acts as a lure, and a payload capable of stealing a variety of files.
Who is Transparent Tribe?
Transparent Tribe, also known as APT36, ProjectM, Mythic Leopard, and Earth Karkaddan, is a cyberespionage group operating with “links to Pakistan.” According to reports, the group has a history of conducting cyberespionage operations against India’s defense, government, and education sectors.
Blackberry observed significant overlaps between this campaign and previous Transparent Tribe activity, including code reuse and similar network infrastructure. Analysis showed that the threat actors set the time zone in one of the files to “Asia/Karachi,” Pakistan Standard Time. Additionally, an ISO image from one of the attacks first seen in early October was traced back to Multan, Pakistan. Researchers also found a remote IP address embedded in the spear-phishing email, which is associated with CMPak Limited, a Pakistan-based mobile data network operator owned by China Mobile. Additionally, the strategic targeting of India’s defense sector clearly aligns with Pakistan’s geopolitical objectives.
The report also alleges that the group was also linked to the deployment of malicious ISO images by unclassified threat actors against Indian organizations earlier this year. The target of these attacks is believed to be the Indian Air Force, and occurred around the same time that the Indian government decided to modernize its air force capabilities, including procuring new jets and upgrading existing aircraft.
Transparent Tribe also featured in a 2018 Amnesty International report for allegedly hacking into the personal devices of Pakistani human rights activists.
Read also:
