 "Pakistani hackers may have hit 3 major Indian defence firms. Find out which")
The Indian government and defence and aerospace sectors were allegedly targeted by a suspected Pakistan-based hacking group between late 2023 and April 2024, Canadian cybersecurity firm BlackBerry Research & Intelligence Team said in a recent report, adding that the "the threat group", called Transparent Tribe or APT36, was likely to continue its online espionage campaign against sensitive Indian entities.
In its May 22 report, BlackBerry claimed that it had traced the roots of the espionage campaign to Pakistani cities. In particular, three state-owned companies involved in aerospace and defence were targeted. BlackBerry's claims were first reported by India Today.
"We observed the group deploying a range of malicious tools mirroring those used in previous campaigns as well as newer iterations, which we assess with moderate to high confidence were indeed conducted by Transparent Tribe," said the BlackBerry report.
What were the group's targets?
During its latest campaign, Transparent Tribe has been "carefully monitoring" the efforts of Indian armed forces to upgrade their "aerospace defence capabilities", said BlackBerry.
Describing Transparent Tribe's targeting as "quite strategic", BlackBerry claimed that the group primarily targeted both the Indian armed forces and "state-run defence contractors", by which it probably means defence public sector undertakings (DPSUs), between late 2023 and April 2024.
More From This Section
"Historically, the group has primarily engaged in intelligence gathering operations against the Indian military," added BlackBerry.
The hackers have been employing a number of different techniques and tools to deliver malware to targeted systems, with the ultimate goal of exfiltrating sensitive information to external servers.
According to BlackBerrry, they have also targeted a Linux-based operating system, called MayaOS, which has been developed indigenously for India's defence sector.
The hackers also used what BlackBerrry describes as an "all-in-one" espionage tool, which is capable of finding and exfiltrating files with popular file extensions, taking screenshots, uploading and downloading files, and executing commands.
BlackBerry claims that in September 2023, it observed a "spear-phishing email" targeting "numerous key stakeholders and clients" of the Department of Defence Production (DDP), under the Ministry of Defence (MoD). Entities belonging to the aerospace sector were specifically targeted, added the Canadian cybersecurity firm.
"The spear-phishing email was directly sent to one of the largest aerospace and defense companies in Asia. It was also sent to an Indian state-owned aerospace and defence electronics company, and additionally to Asia's second-largest manufacturer of earth moving equipment, which plays a key role in the country's Integrated Guided Missile Development Programme (IGMDP) by supplying ground support vehicles," said the BlackBerry report. "Key individuals within the DDP were carbon-copied," it added.
BlackBerry highlighted that all three companies targeted are headquartered in Bengaluru. Based on the description provided by BlackBerry, these companies are likely to be Hindustan Aeronautics Limited, Bharat Electronics Limited and Bharat Earth Movers Limited. India Today also reported that these were the three firms most likely targeted by Transparent Tribe.
Defined as a social engineering attack, a spear-phishing campaign targets a specific person or group using information known to be of interest to the target. A counterfeit message is delivered to the target via email. It is designed to appear legitimate, convincing the target to open a malicious link or attachment, exposing them to malicious software.
Set up in 1962, the DDP's mandate is to develop production infrastructure for producing weapons, systems, platforms, and equipment required for defence. Over the years, it has established production facilities through the Ordnance Factories and DPSUs. It is also a key part of the government's 'Make in India' in defence initiative. Meanwhile, sanctioned to develop a family of tactical and strategic indigenous missiles, the IGMDP was started in 1983 and completed in March 2012.
How does BlackBerry know the attacks came from Pakistan?
BlackBerry claims that throughout its investigation, it uncovered "multiple artifacts" that support attributing the campaign to a Pakistan-based group.
"We noted that a file served from the group's infrastructure set the time zone variable to 'Asia/Karachi', which is Pakistani Standard Time," said the BlackBerry report, adding, "We also discovered a remote IP address associated with a Pakistani-based mobile data network operator embedded within a spear-phishing email."
Finally, the cybersecurity firm said that the "strategic targeting" of India's defence sector also indicated "the group's potential alignment with Pakistan's interests".
What is Transparent Tribe?
Transparent Tribe, also known as APT36, ProjectM, Mythic Leopard and Earth Karkaddan, is a suspected Pakistan-based cyber espionage threat group, according to BlackBerry.
The group has been active since at least 2013, during which time it has primarily targeted diplomatic, defence, and research organisations in India and Afghanistan.
Known for using Windows-based and mobile malware, the group has also expanded its operations by targeting the education sector, said BlackBerry's 2023 Global Threat Intelligence Report.
According to BlackBerry, the group is not overly sophisticated. However, it "actively adapts" its approach of attacking targets and toolkit to evade detection.
The group has reportedly made mistakes in the past, which has "inadvertently linked" it to Pakistan, highlighted BlackBerry.