Skip to content

Pakistani cybercriminals target Indian defence and aerospace

  • by
  • 3 min read

A Pakistan-based hacker group dubbed Transparent Tribe was found targeting India’s government, defence, and aerospace sectors. Security researchers at Blackberry first discovered the intrusion, which started in late 2023 and lasted until April 2024. The researchers expect the intrusion to persist, suggesting that the hackers might still be inside government systems.

The group’s targeting has also been quite strategic in this period. The primary focus was placed on Indian defence forces and state-run defence contractors. In September 2023, Blackberry also found a spear-phishing email targeting “numerous key stakeholders and clients” of the Department of Defence Production (DPP), specifically those in the aerospace industry.

The header of the spear-phishing email sent to one of the targeted companies. | Source: Blackberry

This spear-phishing email was sent directly to one of the largest aerospace and defence companies in Asia and an Indian state-owned aerospace and defence company. It was also sent to Bharat Earth Movers Limited (BEML), Asia’s second-largest manufacturer of earth-moving equipment. BEML contributes to the country’s Integrated Guided Missile Development Project by supplying ground support vehicles. All three of the companies targeted have their headquarters in Bangalore, India. Key individuals from the DDP were also carbon-copied in the email.

The group’s activity focussed on clients of the Department of Defense Production (DDP), targeting specifically the aerospace sector via phishing emails. Transparent Tribe has historically been snooping on the Indian military, looking to gather intelligence.

Blackberry researchers have backed their claims with evidence from several sources. One file served from the group’s infrastructure set the time zone to “Asia/Karachi”, the standard Pakistani time zone. Additionally, the researchers discovered a remote IP address associated with a Pakistani mobile-based data network operator embedded in a spearphishing email. Last but not least, the strategic targeting of sectors critical to Indian national security suggests the group’s alignment with Pakistani interests.

Attack structure and capabilities of Transparent Tribe’s “all-in-one” espionage tool. | Source: Blackberry

Transparent Tribe’s attack methods and toolkits have also been evolving, according to the researchers. Earlier in October 2023, the group used ISO images as an attack vector. However, recently, the group was observed increasing its emphasis on cross-platform programming languages like Python, Golang, and Rust and abusing popular platforms like Telegram, Discord, Google Drive, and Slack.

The researchers also discovered a Golang-based espionage tool capable of finding and extracting files with popular file extensions, taking screenshots, uploading and downloading files, and executing commands. The tools deployed by the group recently also mirror those used in previous campaigns with newer iterations, which the researchers can assess with moderate to high confidence, were conducted by Transparent Tribe.

In the News: OpenAI starts training new AI model; forms Safety Committee

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>