Cyber Crime
APT36 Strikes Again: Pakistani Cyber Espionage Group Targets India’s Critical Infrastructure
BlackBerry’s cybersecurity team has uncovered a series of sophisticated cyber espionage activities by the Pakistani-based advanced persistent threat group, Transparent Tribe (APT36), targeting India’s government, defense, and aerospace sectors. This malicious activity spanned from late 2023 to April 2024 and shows no signs of abating.
Evolving Tactics and Tools
Transparent Tribe, known for its persistent and adaptive strategies, has recently leveraged cross-platform programming languages such as Python, Golang, and Rust. The group has also exploited popular web services like Telegram, Discord, Slack, and Google Drive to deploy their malicious tools. These tools include both familiar and new iterations, indicating a continuous effort to enhance their cyber arsenal.
BlackBerry’s investigation revealed significant artifacts pointing to Transparent Tribe’s involvement. For instance, a file served from the group’s infrastructure set the time zone to “Asia/Karachi,” and a remote IP address linked to a Pakistani mobile data network was embedded in a spear-phishing email. These findings, coupled with the strategic targeting of sectors crucial to India’s national security, strongly suggest the group’s alignment with Pakistan’s interests.
ALSO READ: 300% Surge in Cyber Attack – Here Is How Hacktivist Groups Are Targeting India’s General Election
New Attack Vectors
Transparent Tribe introduced ISO images as an attack vector in October 2023, a tactic they have continued to use. BlackBerry also identified a new Golang-compiled espionage tool capable of exfiltrating files, taking screenshots, and executing commands. This tool underscores the group’s commitment to enhancing its capabilities.
Who is Transparent Tribe?
Transparent Tribe, also known as APT36, ProjectM, Mythic Leopard, or Earth Karkaddan, is a cyber espionage group with ties to Pakistan. Active since around 2013, the group has a history of targeting India’s defense, government, and education sectors. Despite occasional operational security mistakes that have exposed their links to Pakistan, Transparent Tribe continues to adapt its toolkit to evade detection.
Context of the Conflict
India and Pakistan have a long-standing conflict over the Kashmir region, leading to frequent clashes and heightened tensions. The current diplomatic freeze and significant political developments in both countries have provided fertile ground for cyber espionage activities aimed at gaining strategic advantages.
Attack Methods
Transparent Tribe primarily uses phishing emails to deliver malicious payloads via ZIP archives or links. Their arsenal includes various tools and techniques, many of which align with previous reports from cybersecurity firms like Zscaler.
India’s defense sector has been developing indigenized Linux-based operating systems, such as MayaOS, to enhance security. Transparent Tribe has responded by focusing on distributing Executable and Linkable Format (ELF) binaries, targeting these new systems.
Weaponization Techniques
The group has used desktop entry files to deliver Poseidon payloads in ELF format, a Golang agent designed for Linux and macOS. The current campaign also includes Python downloader scripts compiled into ELF binaries, with minimal detections on VirusTotal due to their lightweight nature and reliance on Python.
ALSO READ: After Revolt in Cambodian Scam Compounds, MHA and MEA Swing into Action: Here’s How They’re Fighting Back
Windows Targeting
Transparent Tribe has also developed Python-based Windows downloaders, similar to their Linux counterparts, to perform tasks like downloading executables and setting them to run at startup. These Windows versions of GLOBSHELL tools highlight the group’s cross-platform capabilities.
The All-in-One Espionage Tool
BlackBerry discovered a new Golang-compiled espionage tool used by Transparent Tribe. This tool, retrieved from a domain linked to the group, is capable of finding and exfiltrating files, taking screenshots, and executing commands, showcasing the group’s evolving toolkit.
ISO Images and PDF Lures
Transparent Tribe has used ISO images to deliver Python-based Telegram bots compiled into Windows executables. These lures target Indian defense forces with themes like pension administration and education loan applications for army personnel.
Connecting the Dots
The group’s use of cross-platform languages, open-source tools, and various web services for command-and-control and exfiltration activities is evident. Reports from early 2024 detail the deployment of malicious ISO images against entities in India, aligning with Transparent Tribe’s tactics.
Strategic Targeting
Transparent Tribe’s focus during this period has been on the Indian defense forces and state-run defense contractors. In September 2023, BlackBerry observed a spear-phishing campaign targeting key stakeholders in the aerospace sector, including major defense companies headquartered in Bangalore, India.
The findings from BlackBerry underscore the persistent threat posed by Transparent Tribe to India’s critical sectors. As tensions between India and Pakistan continue to rise, the cybersecurity landscape remains a key battleground in the broader conflict. Organizations in the targeted sectors must remain vigilant and enhance their cybersecurity measures to mitigate the risks posed by such advanced threat groups.