CyberWire Daily - APT36's cyber blitz on India. [Research Saturday]
Episode Date: June 29, 2024Ismael Valenzuela, Vice President Threat Research & Intelligence, from Blackberry Threat Research and Intelligence team is discussing their work on "Transparent Tribe Targets Indian Government, Defens...e, and Aerospace Sectors Leveraging Cross-Platform Programming Languages." BlackBerry has identified Transparent Tribe (APT36), a Pakistani-based advanced persistent threat group, targeting India's government, defense, and aerospace sectors from late 2023 to April 2024, using evolving toolkits and exploiting web services like Telegram and Google Drive. Evidence such as time zone settings and spear-phishing emails with Pakistani IP addresses supports their attribution, suggesting alignment with Pakistan's interests. The research can be found here: Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Transparent Tribe has been around for a long time, at least a decade. The early reports point to 2013
around that time. And as many of these groups,
they have been evolving their tactics on a regular basis.
And this is what we see with Transparent Tribe as well.
That's Ismail Valenzuela,
Vice President of Threat Research and Intelligence
from BlackBerry's Threat Research and Intelligence team,
discussing their work on
Transparent Tribe Targets Indian Government,
Defense and Aerospace Sectors Leveraging Cross-Platform Programming Languages. discussing their work on Transparent Tribe targets Indian government, defense and aerospace sectors,
leveraging cross-platform programming languages.
I have the pleasure to lead a team of very capable and professional experts on threat research and doing intelligence. So we monitor
the threat landscape and we obviously are doing these things for the sake of protecting our
customers from any of these attacks. We have a significant presence in Asia Pacific and I would
say that what's been happening in Asia Pacific in the last few years is very interesting. So we do have a, we keep an eye on all of these activities.
Well, let's talk about the group itself.
I mean, what should people know about Transparent Tribe?
Yeah, so Transparent Tribe has been, as I said before, out there for about 10 years.
And it's not really, I wouldn't call it a very highly sophisticated group
based on the artifacts. I like to call it a very highly sophisticated group based on the artifacts.
I like to call it weapons, right?
The weapons that they use.
They use a lot of open source.
They use a lot of freely available commodity malware, commodity toolkits.
They have been using phishing attacks.
They have been using social media, fake profiles, fake websites as waterhole attacks. They have been using social media, fake profiles, fake websites as waterhole attacks.
And one of the things that help us to identify this group distinctly is definitely their
targeting. Based on our research, this group has been largely interested in India.
And if we look at the geopolitical issues around this region, we can see that,
and based on the research of not just BlackBerry, but other research teams out there in the industry,
we can see that this group is either based out of Pakistan or very aligned with the nation.
Well, let's talk about the types of things that they're after here.
I mean, what does an attack by transparent tribe typically look like?
Well, so over the years, we have seen how they have been targeting India specifically,
but also other nations outside of India, U.S., Europe, Australia.
But the prime target seems to remain India.
They have been targeting government, government bodies,
but also they have been targeting human rights activists within Pakistan itself,
which, again, it clearly aligns to certain objectives.
There are some reports that have been issued in the past,
especially around 2016, 2017,
that indicate very clearly that the people behind this group
could be even within the Pakistani military.
There is a very interesting report from Amnesty International from 2018
that talks about specific campaigns against human right defenders in Pakistan and how this group,
for example, used fake social media profiles, targeted phishing attacks, trying to steal their
Google and Facebook credentials in order to access information from these people.
And this malware that is well known as Crimson,
it's a type of a stealer, remote access tool,
used for long-term digital surveillance, essentially.
So we have seen this type of toolkit being used a lot against these different
objectives that align to the objectives of the
Pakistani military. Well, suppose that I was someone who
they had their eye on here. Can you sort of walk us through
what the campaign would look like? Yes.
So for the one that we just documented in our report,
we have seen, well, some very specific artifacts related to ISO images,
lures related to, for example, Indian defense forces.
We know that India has invested heavily in cybersecurity in the last few years.
They have been investing a lot in specific versions of Linux for them.
And they have been also investing heavily in traditional defense.
So they're dealing with a lot of contractors. And this increases the chances that any of these objectives, specific objectives, would be in the military, right?
In the military or government would be attracted to any of these lures.
And that could be typically some sort of an email or a phishing attack, or it could be a watering hole website.
website. For example, we have seen some fake Indian news sites that have been created with the idea of targeting specific individuals within government or military. Now, if we're
talking about human rights activists and you as a journalist, you may be very familiar with this.
This could be, for example, somebody that will try to friend you on a social media platform,
maybe with a lure related to, hey, I have some information that might be interested to you.
And that could include a link to one of these malicious sites
where you're going to be downloading some software that will compromise your machine.
It could be, for example, some document that is weaponized, a Word document or PDF documents as we see
in this campaign that we've reported at BlackBerry.
Or it could be also, hey, install this application on your phone
for this particular purpose. We have seen this group over the years using
Android malware and even iOS surveillance tools.
We'll be right back.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Yeah, it's interesting that you point out in the research that they are known for using a wide array of tools.
Can you give us some examples of the types of things
that we'll typically see them using?
Yes, we have seen them using pretty much everything,
as I mentioned before, Android tools, iOS tools,
I mentioned before, Android tools, iOS tools, open source tools, Windows tools, Linux. As I just mentioned before, this group knows that India has invested heavily in a very
specific hardened version of Linux distribution, and they're using these to target Linux,
specifically this type of version.
And that's why we see, for example, ELF.
These are Linux binaries.
And why we see these tools developed in cross-platform languages,
for example, Golang, as we report in this blog.
So what are your recommendations for organizations to best protect themselves here?
Well, one of the reasons why they also use Linux or Binaries
is because a lot of organizations, they don't have a good protection outside of Windows.
And we know that having a good layer of protection on Windows is not trivial,
but many organizations neglect other platforms like Linux servers, for example. Having a good layer of protection on Windows is not trivial,
but many organizations neglect other platforms like Linux servers, for example.
Many organizations neglect those, macOS.
So I always talk about having a good threat model,
because these adversaries are going after something specific.
So if you're a journalist, you need to know who is out there who's who's your adversary uh who might be interested in compromising any of your systems to have access to some of the information you may have that might be
of their interest right um if you're an organization based out of um southeast asia are you working
with any of these countries the geopoliticalical issues around these countries are very, very interesting.
We talked about India investing in Air Force, for example,
bolstering their Air Force capabilities.
That's why we see attacks against aerospace and defense manufacturers in the region.
Well, Pakistan has done the same thing.
Beginning this year, I think it was Feb 2024, they said they were going to invest over $36 million in national cybersecurity. And we know that China is typically supporting a lot of these Pakistani initiatives, whereas the US aligns typically with India. So if you are in the region conducting business,
this should influence your threat modeling.
And being updated with this type of information,
knowing what are the tactics, the techniques,
the procedures that attackers are using,
the type of lures, the type of activities
that they're using to compromise a particular device,
sometimes even with physical access.
If you have facilities in the region,
augmenting your physical security
could also be very, very important
because we know that in some cases
there might be some physical access
involved in some of these attacks too.
So essentially,
having a good threat model,
knowing who might be after you because you cannot defend against everything,
and then using that threat model to focus your defensive strategy and having a holistic
defense strategy across all these different platforms.
I think you mentioned this earlier in our conversation, but can you speak to the
I think you mentioned this earlier in our conversation,
but can you speak to the sophistication or lack thereof of this particular group?
Transparent Tribe has traditionally used relatively simplistic or non-sophisticated toolkits or attack chains.
But as we see, this is not that much about how sophisticated the group is.
It's more about the effectiveness.
And also by having a wide variety of different malware,
different ways of getting into the organizations,
the phishing, the fake social profiles, fake websites,
this also gives them a higher chance of success.
And it may make it more difficult for attackers to track all of these, all of these attack
surface, right?
All of these aspects of the group's activities and to have a solid defensive mechanism.
I mean, if we look at the report we just put together, we talk about ISO images.
Is this new?
It's not really that new.
We have seen this before.
It was the first time that Transparent Tribe used these ISO images.
PDF documents, again, nothing that new, right?
Golang compiled all-purpose spionage tools.
We have been reporting this over some time.
If you have been following some of our quarterly threat reports,
we often talk about how attackers are moving towards
using cross-platform languages.
So even though there's nothing relatively brand new,
we also talk about Discord or Intelligram being used.
A lot of this software, it's slightly modified
from software that is publicly available
that you can find on GitHub, for example.
So there's nothing really highly sophisticated,
but it shows that they know the tools that are out there
and it shows that they know how to use them
against very specific targets
with a very specific motivation.
Our goal is to make sure that defenders also know
the variety of tools
and techniques that these attackers can use. That's an interesting insight. I mean, I guess
it speaks to the fact that you don't necessarily have to be terribly sophisticated if you are
persistent. Absolutely. Absolutely. And if you know how to leverage the human factor, right?
Again, a lot of these things rely on
phishing, it relies on
convincing somebody that hey I have some
information or here's something that you might
be interested in
install this for XYZ reasons
And that's Research Saturday brought to you by N2K CyberWire.
Our thanks to Ismael Valenzuela from BlackBerry's Threat Research and Intelligence team for joining us.
The research is titled Transparent Tribe Targets Indian Government Defense and Aerospace Sectors Leveraging Cross-Platform Programming Languages.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here
next time.
Your business needs AI solutions that are not only ambitious, Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.