Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors

May 27, 2024
BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors

BlackBerry disclosed that the Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeted the Indian government, defense, and aerospace sectors using cross-platform programming languages. Also known as APT36, ProjectM, Mythic Leopard, or Earth Karkaddan, Transparent Tribe is a cyber espionage threat group operating with a Pakistani nexus whose activity cluster spanned from late 2023 to April this year and is anticipated to persist.

“The group’s primary focus during this period was on the Indian defense forces and state-run defense contractors. Historically, the group has primarily engaged in intelligence gathering operations against the Indian Military,” BlackBerry researchers wrote in a recent blog post. “In September 2023, BlackBerry observed a spear-phishing email targeting numerous key stakeholders and clients of the Department of Defense Production (DDP), specifically those in the aerospace sector.”

Additionally, the spear-phishing email was directly sent to one of the largest aerospace and defense companies in Asia. “It was also sent to an Indian state-owned aerospace and defence electronics company, and additionally to Asia’s second-largest manufacturer of earth moving equipment, which plays a key role in the country’s Integrated Guided Missile Development Project by supplying ground support vehicles. Key individuals within the DDP were carbon-copied.”

“Throughout our investigations, we uncovered multiple artifacts that substantiate our attribution. For example, we noted that a file served from the group’s infrastructure set the time zone (TZ) variable to ‘Asia/Karachi,’ which is Pakistani Standard Time,” the BlackBerry post added. “We also discovered a remote IP address associated with a Pakistani-based mobile data network operator embedded within a spear-phishing email. The strategic targeting of critical sectors vital to India’s national security additionally suggests the group’s potential alignment with Pakistan’s interests.”

Alongside familiar tactics, Transparent Tribe introduced new iterations. They first used ISO images as an attack vector in October 2023, which Blackberry noted in their present campaigns. BlackBerry also discovered a new Golang compiled ‘all-in-one espionage tool used by the group, which can find and exfiltrate files with popular file extensions, take screenshots, upload and download files, and execute commands.’

“In Transparent Tribe’s prior campaigns, the group was seen adapting and evolving their toolkit,” the post identified. “In recent months the group have been putting a heavy reliance on cross-platform programming languages such as Python, Golang, and Rust, as well as abusing popular web services such as Telegram, Discord, Slack, and Google Drive. We observed the group deploying a range of malicious tools mirroring those used in previous campaigns as well as newer iterations, which we assess with moderate to high confidence were indeed conducted by Transparent Tribe.”

“Despite not being overly sophisticated, the group actively adapts its attack vector as well as its toolkit to evade detection,” the researchers revealed. “The group has been operational since approximately 2013. Previous reports highlighted operational security mistakes made by the group. Due to these mistakes, Transparent Tribe inadvertently linked themselves to Pakistan.”

In this campaign uncovered by BlackBerry, the researchers ‘surmise that Transparent Tribe has been carefully monitoring the efforts of the Indian defense forces as they strive to bolster and upgrade the country’s aerospace defense capabilities.’

Based on the sample set BlackBerry looked at, Transparent Tribe primarily employs phishing emails as the preferred method of delivery for their payloads, utilizing either malicious ZIP archives or links. We observed the use of numerous different tools and techniques, some of which aligned with previous reporting from Zscaler in September 2023.

India has put significant efforts into the research and development of indigenized Linux-based operating systems such as MayaOS. MayaOS — developed internally by the Indian Defense Research and Development Organisation (DRDO), the Centre for Development of Advanced Computing (C-DAC), and the National Informatics Centre (NIC) — serves as an alternative to Windows. It is a hardened Linux distribution intended for adoption by the Indian Ministry of Defense (MoD) and subsequently the country’s Army, Navy, and Air Force.

As a result, Transparent Tribe has chosen to focus heavily on the distribution of Executable and Linkable Format (ELF) binaries during this period.

“In the past, Transparent Tribe has employed desktop entry files to deliver Poseidon payloads in ELF format,” BlackBerry pointed out. “Poseidon is a Golang agent that compiles into Linux and macOS x64 executables. This agent is designed to be used with Mythic and open-source cross-platform red teaming frameworks. Currently, Poseidon remains part of the group’s toolkit; however, we haven’t confirmed the specific attack vector employed for its distribution.”

The researchers added that they did, however, see the distribution of a Python downloader script compiled into ELF binaries. “These ELF binaries had minimal detections on VirusTotal likely due to their lightweight nature and dependency on Python. The first cluster of files we found had an embedded file name of ‘aldndr[dot]py,’ later versions had an embedded file name of ‘basha[dot]py.’”

BlackBerry said that it is evident the Transparent Tribe group is favoring the use of cross-platform programming languages, open-source offensive tooling, and different web services for command-and-control (C2) or exfiltration. “In the beginning of 2024, reports and blogs surfaced detailing the deployment of malicious ISO images against entities in India by uncategorized threat actors. These deceptive ISO files, with themes and naming conventions, strongly suggest the target of these attacks was the Indian Air Force (IAF) or an entity associated with the IAF,” it added.

These ISO files and their bundled payloads had the hallmark of a Transparent Tribe attack chain. The file sharing platform oshi[dot]at, used by the group in ‘swift_script[dot]sh’ for data exfiltration, was now being used to host the file ‘SU-30_Aircraft_Procurement.zip.’ The payloads bundled within these ISO images are modified open-source offensive tools — Golang compiled information stealers that abuse Slack for data exfiltration — reflecting the characteristics seen in the Discord payload and other components of their attack chain.

Notably, around this time, the Indian government alongside the Defense Acquisition Council (DAC) took significant steps to bolster the Indian Air Force’s capabilities. This included issuing a tender to one of the largest aerospace and defence manufacturers in Asia for the procurement of 97 advanced Tejas fighter jets and approving the upgrade of the Su-30 fighter fleet.

This collaborative effort focuses on modernizing and expanding the Indian Air Force’s fleet, underscoring the aerospace manufacturer’s pivotal role in strengthening national security and defense infrastructure, while also unfortunately making them a prime target for espionage campaigns.

In its conclusion, BlackBerry said that its investigation reveals Transparent Tribe has been persistently targeting critical sectors vital to India’s national security. “This threat actor continues to utilize a core set of Tactics, Techniques, and Procedures (TTPs), which they have been adapting over time. The group’s evolution in recent months has primarily revolved around its utilization of cross-platform programming languages, open-source offensive tools, attack vectors, and web services.”

Also, these actions align with heightened geopolitical tensions between India and Pakistan, implying a strategic motive behind Transparent Tribe’s activities. This activity is expected to continue.

Last August, BlackBerry discovered and documented new tools used by the Cuba ransomware threat group. The targets of this campaign included a critical infrastructure company in the U.S. and a systems integrator from Latin America. The BlackBerry Threat Research and Intelligence team investigated a campaign by the hacker group conducted in June that culminated in these attacks while providing an in-depth analysis of the latest evolution in tactics, techniques, and procedures (TTPs) utilized by the Cuba threat group.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix