Transparent Tribe: An In-Depth Analysis of APT36’s Latest Campaign Targeting India’s Defense Sector

9 min read
Transparent Tribe: An In-Depth Analysis of APT36’s Latest Campaign Targeting India’s Defense Sector

In the ever-evolving landscape of cyber warfare, threat actors continuously adapt their tactics and tools to stay ahead of detection mechanisms. One such group, Transparent Tribe (APT36), has been active since 2013 and has gained notoriety for its persistent cyber espionage campaigns, primarily targeting India’s government, defense, and aerospace sectors. This blog delves into Transparent Tribe's latest campaign and sheds light on their evolving methodologies and the strategic implications of their actions.

Background

Transparent Tribe, also known as ProjectM, Mythic Leopard, or Earth Karkaddan, operates with a Pakistani nexus and has a well-documented history of cyber espionage activities against India. Despite their lack of sophisticated techniques, the group’s persistent adaptation and evolution of their tools make them a formidable adversary.

The ongoing conflict over the Kashmir region and recent escalations in diplomatic tensions between India and Pakistan provide a backdrop for Transparent Tribe’s targeting of critical sectors in India. This campaign aligns with their long-term objective of gathering intelligence to support national strategic interests.

Who Was Targeted in Transparent Tribe’s Campaign?

Transparent Tribe’s latest cyber espionage campaign primarily focused on India’s critical sectors, emphasizing the defense and aerospace industries. The strategic selection of these targets underscores the group's intent to gather sensitive intelligence that can significantly impact national security. Below is a detailed analysis of the key sectors and entities that were targeted during this campaign.

  1. Defense Sector
  • Indian Armed Forces

The Indian Armed Forces, including the Army, Navy, and Air Force, were among the primary targets. Transparent Tribe sought to infiltrate networks and systems to gather intelligence on military strategies, operational plans, and technological advancements.

  • Defense Contractors

Companies involved in defense manufacturing and research, such as Hindustan Aeronautics Limited (HAL) and Bharat Electronics Limited (BEL), were targeted. These organizations play a crucial role in developing and producing defense equipment, making them valuable sources of technical and strategic information.

  1. Aerospace Sector
  • Research and Development Institutions

Organizations engaged in aerospace research, such as the Indian Space Research Organisation (ISRO) and the Defence Research and Development Organisation (DRDO), were key targets. Transparent Tribe aimed to access information on space missions, satellite technology, and defense-related aerospace projects.

  • Aviation Companies

Commercial and defense aviation companies, including those involved in the design and manufacture of aircraft and related systems, were also on the radar. The goal was to obtain proprietary information and technological blueprints that could be leveraged for strategic advantage.

  1. Government Agencies
  • Ministry of Defence

The Ministry of Defence (MoD) and its various departments were targeted to extract high-level strategic information, policy documents, and communication records. Access to such data could provide significant insights into India’s defense planning and international collaborations.

  • Diplomatic Entities

Diplomatic entities, including embassies and consulates, particularly those involved in defense diplomacy and international security collaborations, were targeted to intercept communications and gather intelligence on diplomatic strategies and negotiations.

  1. Private Sector and Think Tanks
  • Security and Defense Think Tanks

Think tanks specializing in defense and security studies, such as the Institute for Defence Studies and Analyses (IDSA), were targeted to acquire research reports, policy recommendations, and expert analyses that influence government policies.

  • Private Security Firms

Private firms providing cybersecurity and defense consulting services were also on the list of targets. Compromising these entities could allow Transparent Tribe to understand the defensive measures employed by their primary targets and potentially bypass them.

  1. Educational Institutions
  • Universities and Research Centers

Universities and research centers involved in advanced technological research and defense studies, such as the Indian Institutes of Technology (IITs) and the Indian Institutes of Science (IISc), were targeted. These institutions often collaborate with the government and industry on cutting-edge research projects.

Targeted Attack Vectors

  • Spear-Phishing Campaigns-It remained the primary method of delivering malicious payloads to these targeted entities. Highly personalized emails containing malicious attachments or links were sent to employees and researchers to gain initial access.

  • Malicious ISO Images-The use of ISO images as a new attack vector was particularly notable. These images were crafted to appear as legitimate files related to defense and aerospace projects, enticing recipients to open them and unwittingly execute the embedded malware.

Strategic Implications

  • Intelligence Gathering - By targeting these critical sectors, Transparent Tribe aimed to gather a wealth of intelligence that could be used to support strategic decision-making and military planning.

  • Technological Espionage - The campaign’s focus on defense contractors, aerospace R&D institutions, and private firms highlights an intent to steal technological innovations and proprietary information, potentially to replicate or counteract them.

  • Policy Influence - Compromising think tanks and government agencies could provide insights into policy-making processes, enabling adversaries to anticipate and influence future policies.

Campaign Overview

BlackBerry’s Threat Research and Intelligence Team uncovered a cluster of malicious activities attributed to Transparent Tribe. The campaign targeted India's government, defense, and aerospace sectors, deploying a range of malicious tools and employing new attack vectors, including ISO images and cross-platform programming languages like Python, Golang, and Rust.

Key Findings

  • Cross-Platform Tools: Transparent Tribe leveraged Python, Golang, and Rust to develop cross-platform tools, allowing them to target multiple operating systems with minimal modifications.
  • Web Services Abuse: The group utilized popular web services such as Telegram, Discord, Slack, and Google Drive for command-and-control (C2) operations and data exfiltration.
  • New Attack Vectors: The use of ISO images as an attack vector marked a notable shift in their approach. These images contained malicious payloads targeting specific sectors.
  • Sophisticated Espionage Tools: A new Golang-compiled "all-in-one" espionage tool was discovered, capable of file exfiltration, screenshot capture, and remote command execution.

MITRE ATT&CK® Techniques

Transparent Tribe employed various techniques across different stages of the attack lifecycle:

  • Resource Development: T1588.002 - Acquire or compromise infrastructure.
  • Initial Access: T1566.001, T1566.002 - Spear-phishing attachments and links.
  • Execution: T1204.001, T1204.002, T1059.004, T1059.006 - User execution, malicious links, scripting.
  • Persistence: T1053.003, T1547.013, T1547.001 - Scheduled tasks, boot or logon initialization scripts.
  • Discovery: T1082, T1217 - System information discovery, browser bookmark discovery.
  • Collection: T1113 - Screen capture.
  • Defense Evasion: T1027.010, T1564.001, T1140 - Obfuscation, hidden files and directories, deobfuscate/decode files or information.
  • Command-and-Control: T1071.001 - Application layer protocol.

Weaponization and Attack Vectors

Malicious Tools

  • Python-Based Document Stealers: Deployed in both ELF and PE formats, these tools were used for stealing documents and sensitive information.
  • Obfuscated Shell Scripts: Utilized for maintaining persistence and executing commands.
  • Poseidon Agents: Golang-compiled agents designed for cross-platform compatibility.
  • Telegram RAT and Go-Stealer: Remote access tools leveraging Telegram for C2.

Attack Vectors

  • Spear-Phishing: The primary method for initial access, using malicious ZIP archives, ISO images, and links.
  • Malicious ISO and ZIP Archives: Delivered payloads through seemingly legitimate files and documents.
  • Credential Stealing: Using tools like HTTrack Website Copier to gather credentials.

Network Infrastructure

Transparent Tribe’s network infrastructure was diverse, involving various hosting providers and leveraging web services for C2 operations. Key infrastructure components included:

  • Domains: Hosted on providers like Hostinger International Limited, Contabo GmbH, NameCheap, Inc., and Amazon Data Services India.
  • Web Services: Telegram, Google Drive, and Discord were used for command-and-control and data exfiltration.
  • Mythic C2 Infrastructure: Utilized for managing their operations and maintaining persistence.

Detailed Attack Chain

Initial Access

Transparent Tribe primarily used spear-phishing emails to deliver malicious payloads. These emails often contained malicious ISO images or ZIP archives that, when executed, deployed a range of tools designed to exfiltrate data and maintain persistence on the target systems.

Weaponization

The group’s use of ISO images began in October 2023, marking a significant shift in their attack strategy. These ISO images contained a variety of malicious files, including:

  • Python-based downloaders: Compiled into ELF binaries, these scripts monitored specific directories and targeted files with popular extensions like .pdf, .docx, .xlsx, etc.
  • Golang-based espionage tools: These tools included capabilities for file exfiltration, screenshot capture, and command execution.

Execution and Persistence

Once executed, the payloads established persistence through various methods, including:

  • Scheduled Tasks and Logon Scripts: Ensuring the payloads run at startup.
  • Obfuscated Shell Scripts: Maintaining a low profile to avoid detection.
  • Mythic Agents: Providing robust command-and-control capabilities.

Collection and Exfiltration

The deployed tools were designed to collect sensitive information, including:

  • Documents and Files: Targeting files with specific extensions across multiple directories.
  • Screenshots: Capturing the screen contents periodically.
  • Browser Data: Exfiltrating session details from browsers like Firefox.

The collected data was then exfiltrated using various web services, including Telegram, Google Drive, and Discord.

Command-and-Control Transparent Tribe employed multiple C2 mechanisms, leveraging popular web services to communicate with the infected systems and exfiltrate data. This approach allowed them to blend in with legitimate traffic and evade detection.

Indicators of Compromise (IoCs)

Domains

  • files.tpt123.com
  • infosec2.in
  • certdehli.in
  • twff247.cloud
  • winp247.cloud

Timeline of the 2023 Campaign

The campaign from APT36 started in early 2023 and has been ongoing. Below is a detailed timeline of key events and discoveries:

  • January 2023: Initial phishing emails were detected, targeting senior officials in India's defense ministry.
  • February 2023: Deployment of Crimson RAT was observed, with significant data exfiltration from compromised systems.
  • March 2023: Security researchers identified a new variant of ObliqueRAT being used in the campaign.
  • April 2023: Increased activity targeting aerospace companies involved in defense contracts.
  • May 2023: Discovery of Pinecone malware in multiple defense contractor networks.
  • June 2023: Public disclosure of the campaign by leading cybersecurity firms, urging immediate countermeasures.

For a deeper understanding of APT36, also known as Transparent Tribe and their tactics, techniques, and procedures (TTPs) you can explore

Conclusion

Transparent Tribe’s latest campaign underscores the evolving nature of cyber threats and the persistent efforts of adversaries to infiltrate and gather intelligence from strategic targets. The use of cross-platform tools, abuse of web services, and introduction of new attack vectors like ISO images highlight the group’s adaptability and resilience.

Organizations, particularly those in critical sectors such as defense and aerospace, must remain vigilant and enhance their security measures to detect and mitigate such sophisticated threats. Continuous monitoring, threat intelligence sharing, and adopting advanced security solutions are crucial steps in defending against adversaries like Transparent Tribe.

As geopolitical tensions persist, it is imperative for nations to bolster their cyber defenses and ensure the protection of their critical infrastructure and sensitive information. The insights from this detailed analysis of Transparent Tribe’s campaign provide valuable lessons for enhancing cybersecurity strategies and fortifying defenses against emerging threats.

Want to write a blog?

Unfold your thoughts and let your ideas take flight in the limitless realm of cyberspace. Whether you're a seasoned writer or just starting, our platform offers you the space to share your voice, connect with a creative community and explore new perspectives. Join us and make your mark!

Follow us on social media

Cyber Unfolded Light Logo
Copyright © 2024 CYUN. All rights reserved.