A recent report from cybersecurity intelligence firm Blackberry has unveiled a series of cyberattacks orchestrated by a Pakistan-linked hacker group, Transparent Tribe, targeting India’s critical sectors, including government, defense, and aerospace. This Advanced Persistent Threat (APT) group has been identified as a significant threat to India’s national security, focusing particularly on clients of the Department of Defense Production (DDP).
Strategic Targeting of Defense and Aerospace Sectors
Blackberry’s continuous monitoring across the Asia-Pacific region revealed that Transparent Tribe’s activities spanned from late 2023 to April 2024. The group’s primary targets included some of the largest aerospace and defense companies in Asia, a state-owned defense electronics firm, and a major manufacturer of earth-moving equipment. Key individuals within the DDP were also targeted through phishing emails, which remain the group’s preferred method for delivering malicious payloads.
“Transparent Tribe’s targeting during this time has been quite strategic. The group’s primary focus during this period was on the Indian defense forces and state-run defense contractors. Historically, the group has primarily engaged in intelligence gathering operations against the Indian Military,” stated the Blackberry report.
Modus Operandi and Advanced Espionage Tools
Transparent Tribe employs phishing emails containing malicious ZIP archives or links, which install programs on the target systems to extract sensitive documents. A significant discovery by Blackberry was a new “all-in-one” espionage tool. This downloader retrieves a PDF lure and a payload capable of exfiltrating a broad range of files upon execution.
“Our investigation reveals Transparent Tribe has been persistently targeting critical sectors vital to India’s national security. This threat actor continues to utilize a core set of Tactics, Techniques, and Procedures (TTPs), which they have been adapting over time,” noted Blackberry. The group’s recent evolution includes the use of cross-platform programming languages, open-source offensive tools, and sophisticated attack vectors.
Transparent Tribe’s Identity and Historical Context
Also known as APT36, ProjectM, Mythic Leopard, or Earth Karkaddan, Transparent Tribe operates with a clear “Pakistani nexus.” The group has a documented history of cyber espionage against India’s defense, government, and education sectors. Blackberry’s analysis indicated a significant overlap with previous campaigns, including code reuse and similar network infrastructure.
Further evidence links Transparent Tribe’s activities to Pakistan, such as the time zone setting in their files (Asia/Karachi) and an ISO image traced to Multan, Pakistan. Additionally, a spear-phishing email contained a remote IP address associated with CMPak Limited, a Pakistan-based mobile data network operator owned by China Mobile.
The report suggests that Transparent Tribe’s recent activities align with Pakistan’s geopolitical goals, especially in strategically targeting India’s defense sector during critical periods, such as the modernization of the Indian Air Force. This is reminiscent of earlier attacks by uncategorized threat actors using malicious ISO images, which also targeted Indian defense entities.
Transparent Tribe’s notoriety extends beyond India. In 2018, an Amnesty International report alleged that the group compromised the personal devices of Pakistani human rights activists, highlighting its broader agenda and capabilities.
The Blackberry report underscores the ongoing cyber threats faced by India’s critical sectors from state-linked actors. Transparent Tribe’s persistent and evolving tactics serve as a reminder of the importance of robust cybersecurity measures and international cooperation in safeguarding national security. As the group continues to adapt, vigilance and advanced threat detection remain crucial in defending against such sophisticated cyber espionage operations.