Pakistan-linked hackers target India’s defense and aerospace sectors

A Pakistan-linked hacker group is targeting critical sectors in the government, defense and aerospace sectors in India, according to a report by Blackberry, a cybersecurity intelligence firm. The group labeled Advanced Persistent Threat (APT) is called Transparent Tribe and targets Department of Defense Production (DDP) customers, particularly aerospace customers, via phishing emails. “The Transparent Tribe’s targeting at this time was quite strategic. During this period, the group’s main focus was on the Indian Defense Forces and state-owned defense contractors. “Historically, the group has mainly engaged in intelligence gathering operations against the Indian military,” the report said.

Blackberry discovered the group’s activities during its ongoing hunt in the Asia-Pacific region and said the malicious attempts occurred from late 2023 to April 2024. The unnamed targets included one of Asia’s largest aerospace and defense companies, state-owned a company from the aviation and space industry. and defense electronics, and Asia’s second largest manufacturer of earthmoving equipment, alongside key people at DDP.

It is unclear how effective the cyber attack was, as is the amount and nature of the documents extracted. Blackberry, however, expects the group to continue operating. The report also mentioned that the group has rapidly adapted and developed its toolkit over the years.

“Our investigation reveals that Transparent Tribe continually targets critical sectors vital to India’s national security. This threat actor continues to employ a core set of tactics, techniques, and procedures (TTPs) that it adapts over time. The group’s evolution in recent months has focused largely on the use of cross-platform programming languages, offensive open source tools, attack vectors and web services,” Blackberry said.

Modus operandi:

The report states: “Based on the sample we reviewed, Transparent Tribe primarily uses phishing emails as the preferred delivery method for its payloads, utilizing either malicious ZIP archives or links.” The payloads then installed programs on the target system that extracted the documents.

Blackberry has also discovered a new versatile spy tool, which is a downloader that, when launched, downloads two files – a PDF file that acts as a decoy and a payload that allows the exfiltration of a wide range of files.

Who is the Transparent Tribe?

Also known as APT36, ProjectM, Mythic Leopard or Earth Karkaddan, Transparent Tribe is a cyber espionage group operating with a “Pakistani connection”. According to the report, the group has in the past conducted cyber espionage operations against India’s defense, government and education sectors.

Blackberry observed that this campaign has significant overlap with Transparent Tribe’s previous efforts, including code reuse and similar network infrastructure. Analysis revealed that the threat actor had set the time zone in one of its files to “Asia/Karachi”, which is Pakistan Standard Time. Additionally, an ISO image of one of their attacks, which was first observed in early October, pointed to Multan, Pakistan. Researchers also discovered a remote IP address contained in a spear-phishing email that was linked to Pakistan-based mobile data network operator CMPak Limited, owned by China Mobile. Moreover, the strategic focus on India’s defense sector is clearly in line with Pakistan’s geopolitical goals.

The report also indicated that the group was linked to the deployment of malicious ISO images against entities in India by uncategorized threat actors, which occurred earlier this year. These attacks are believed to have targeted the Indian Air Force and took place around the same time that the Indian government decided to modernize its air force, including purchasing new jets and modernizing its existing fleet.

Transparent Tribe also appeared in a 2018 Amnesty International report, which accused it of compromising the security of the personal devices of Pakistani human rights activists.