In today’s constantly evolving digital world, cyber warfare has emerged as a new arena of combat. A recent analysis from a well-known cybersecurity intelligence group uncovered a worrying discovery. Transparent Tribe, a hacker organization linked to Pakistan, has targeted critical sectors in India, including government, defense, and aerospace.
Transparent Tribe: APT36, ProjectM, Mythic Leopard, or Earth Karkaddan
Transparent Tribe, also known as APT36, ProjectM, Mythic Leopard, or Earth Karkaddan, is a cyber espionage group believed to be linked to Pakistan. The group has a notorious history of conducting cyber espionage operations against India’s defense, government, and education sectors. Their activities have raised significant concerns about the security of sensitive information in these critical sectors. The group’s operations are sophisticated, demonstrating a high level of expertise in cyber warfare.
Strategic Targeting of Indian Defense
From late 2023 to April 2024, Transparent Tribe focused its efforts on Indian defense forces and state-run defense contractors. The group’s primary targets included employees within the Department of Defense Production (DDP), especially those in companies in the aerospace sector. Among the unnamed targets were one of Asia’s largest aerospace and defense companies, a state-owned aerospace and defense electronics company, and Asia’s second-largest manufacturer of earth-moving equipment. These companies are most likely Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and Bharat Earth Movers Limited (BEML).
Sophisticated Phishing Tactics
The group employed phishing emails as their primary method to deliver malicious payloads. These emails, often appearing to come from reputable entities and officials, contained malware hidden within ZIP archives or links. Once opened, the malware installed programs on the target systems to extract sensitive documents and information.
The phishing emails covered a range of subjects to lure the recipients, from professional topics like defense export concepts and public relations policies to personal interests such as holiday camps, pension schemes, and education loans. This strategic approach increased the likelihood of recipients opening the malicious attachments.
Advanced Malware and Tools
Transparent Tribe has developed and utilized a variety of advanced tools and techniques to carry out their espionage activities. Among these is a new “all-in-one” espionage tool written in GoLang, which can retrieve and exfiltrate a wide range of files, take screenshots, upload and download files, and execute commands. The group also used ELF binaries, which are capable of running on different processor types, to monitor directories and exfiltrate specific file types to external servers.
The report highlighted the group’s use of cross-platform programming languages such as Python, GoLang, and Rust, as well as open-source offensive tools. These tools were deployed to exploit vulnerabilities in web services like Telegram, Discord, and Google Drive for data exfiltration.
Indicators of Pakistani Origin
Several indicators suggest the involvement of Pakistan-based actors in these cyberattacks. For instance, time-zone variables in some malicious files were set to “Asia/Karachi,” aligning with Pakistan Standard Time. Additionally, an ISO image used in one of the attacks was traced back to Multan, Pakistan. A remote IP address linked to the phishing emails was associated with CMPak Limited, a Pakistan-based mobile data network operator owned by China Mobile.
Further supporting the group’s Pakistani nexus, Transparent Tribe’s activities align with Pakistani geopolitical goals, particularly in undermining India’s defense capabilities. The group has previously been linked to the Pakistani military, as indicated in reports by cybersecurity firms like Lookout.
Historical Context and Persistent Threat
The Transparent Tribe has a history of targeting India’s defense sector. In 2018, a report alleged that the group had compromised the personal devices of Pakistani human rights activists. The group’s recent activities show a significant overlap with its previous campaigns, including code reuse and similar network infrastructure.
The recent report emphasized that Transparent Tribe has been persistently adapting and evolving its tactics, techniques, and procedures (TTPs). This evolution includes the use of new tools and adapting to emerging technologies, making the group a persistent threat to India’s national security.
The cyber espionage campaign by Transparent Tribe highlights the ongoing and sophisticated nature of cyber threats facing India’s defense sector. The group’s strategic targeting and advanced tools pose significant risks to national security, emphasizing the need for robust cybersecurity measures and heightened vigilance. As Transparent Tribe continues to evolve its tactics, India must strengthen its defense mechanisms to protect against such persistent cyber threats.