APT36's cyber blitz on India.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Ismael Valenzuela: Transparent Tribe has been around for a long time, at least a decade. The report points to 2013, around that time. And many of these groups, they have been involved in the tactics on a regular basis. And this is what we see with Transparent Tribe as well.
Dave Bittner: That's Ismael Valenzuela, vice president of Threat Research and Intelligence from BlackBerry's Threat Research and Intelligence team, discussing their work on Transparent Tribe targets Indian government, defense, and aerospace sectors, leveraging cross-platform programming languages. [ Music ]
Ismael Valenzuela: I have the pleasure to lead a team, very capable and professional experts, on threat research and doing intelligence. We monitor the threat landscape and we obviously are doing these things for the sake of protecting our customers, right, from any of these attacks. We have a significant presence in Asia-Pacific. And I would say that what's been happening in Asia-Pacific in the last few years is very interesting. So we keep an eye on all of these activities.
Dave Bittner: Well, let's talk about the group itself. I mean, what should people know about Transparent Tribe?
Ismael Valenzuela: Yeah, so Transparent Tribe has been, as I said before, out there for about 10 years. And I wouldn't call it a very highly sophisticated group based on the artifacts -- I like to call it weapons, right, the weapons that they use. They use a lot of open source. They use a lot of freely available commodity malware, commodity toolkits. They have been using phishing attacks. They have been using social media, fake profiles, fake websites, as watering hole attacks. And one of the things that help us to identify this group distinctly is definitely their targeting. Based on our research, this group has been largely interested in India. And if we look at the geopolitical issues around this region, we can see that based on the research of not just BlackBerry but others, other research teams out there in the industry, we can see that this group is either based out of Pakistan, or very aligned with the nation.
Dave Bittner: Well, let's talk about the types of things that they're after here. I mean, what does an attack by Transparent Tribe typically look like?
Ismael Valenzuela: Well, so over the years, we have seen how they have been targeting India specifically, but also other nations outside of India -- US, Europe, Australia. But the prime target seems to remain India. They have been targeting government, governing bodies, but also, they have been targeting human rights activists within Pakistan itself, right? Which, again, clearly aligns to certain objectives. There are some reports that have been issued in the past, especially around 2016/2017, that indicate very clearly that the people behind this group could be even within the military, Pakistani military. There is a very interesting report from Amnesty International from 2018 that talks about specific campaigns against human rights defenders in Pakistan and how this group, for example, used fake social media profiles, targeted phishing attacks, trying to steal Google and Facebook credentials in order to access information from these people. And this malware that is well known, known as "crimson," it's a type of stealer, remote access tool, used for long-term digital surveillance, essentially. So we have seen this type of toolkit being used a lot against these different objectives that align to the objectives of Pakistani military.
Dave Bittner: Well, suppose that I was someone who they had their eye on here. Can you sort of walk us through what the campaign would look like?
Ismael Valenzuela: Yes. So for the one that we just documented in our report, we have seen some very specific artifacts related to ISO images, lures related to, for example, Indian Defense Forces. We know that India has invested heavily in cybersecurity in the last few years. They have been investing a lot in specific versions of Linux for them. And they have been also investing heavily in traditional defense, right? So they're dealing with a lot of contractors. And this increases the chances that any of these objectives, specific objectives, would be -- any military, right, any military or government, would be attracted to any of these lures. And that could be typically some sort of an email or phishing attack. Or it could be a watering hole website. For example, we have seen some fake India new sites that have been created with the idea of targeting specific individuals within government or military. Now, if we're talking about human rights activists -- US journalist, right, you may be very familiar with this -- this could be, for example, somebody that will try to friend you on a social media platform, maybe with a lure related to, hey, I have some information that may be interesting to you. And that could include a link to one of these malicious sites that where you're going to be downloading some software that will compromise your machine. It could be, for example, you know, some document that is weaponized, a Word document or PDF documents, as we see in this campaign that we've reported at BlackBerry. Or it could be also, hey, install this application on your phone for this particular purpose. We have seen this group over the years using Android malware and even iOS surveillance tools.
Dave Bittner: We'll be right back. It's interesting, you point out in the research that they are known for using a wide array of tools. Can you give us some examples of the types of things that we'll typically see them using?
Ismael Valenzuela: Yes. We have seen them using pretty much everything, as I mentioned before -- Android tools, iOS tools, open source tools, Windows tools, Linux, as I just mentioned before. This group knows that India has invested heavily in a very specific hardened version of Linux distribution. And they're using these to target Linux, specifically, this type of version. And that's why we see, for example, ELF, these are Linux binaries. And why we see these tools developed in cross-platform languages. For example, Golang, as we report in this blog.
Dave Bittner: So what are your recommendations for organizations to best protect themselves here?
Ismael Valenzuela: Well, one of the reasons why they also use Linux binaries is because a lot of organizations, they don't have good protection outside of Windows, right? And we know that having a good layer of protection of Windows is not trivial, but many organizations neglect other platforms like Linux servers, for example. Many organizations neglect those -- mac-OS. So I always talk about having a good threat model, right? Because these adversaries, they're going after something specific. So if you're a journalist, right, you need to know who's out there, who's your adversary, who might be interested in compromising any of your systems to have access to some of the information you may have and might be of their interest, right? If you're an organization based out of Southeast Asia, are you working with any of these countries? The geopolitical issues around these countries are very interesting. We talked about India investing in air force, for example, bolstering their air force capabilities. That's why we see attacks against aerospace and defense manufacturers in the region. Well, Pakistan has done the same thing. Beginning this year, I think it was February 2024, they said they were going to invest over $36 million in national cybersecurity. And we know that China is typically supporting a lot of these Pakistani initiatives. Whereas the US aligns typically with India. So if you're in the region conducting business, this should influence your threat model. And being updated with this type of information, knowing what are the tactics, the techniques, the procedures that attackers are using, the type of lures, the type of activities they're using to compromise a particular device, sometimes even with physical access, right? If you have facilities in the region, augmenting your physical security could also be very important. Because we know that in some cases there might be some physical access involved in some of these attacks too. So essentially, having a good threat model, knowing who might be after you -- because you cannot defend against everything -- and then using that threat model to focus your defensive strategy and having holistic different strategy across all these different platforms.
Dave Bittner: I think you mentioned this earlier in our conversation, but can you speak to the sophistication or lack thereof of this particular group?
Ismael Valenzuela: Transparent Tribe has traditionally used relatively simplistic or non-sophisticated toolkits or attack chains. But as we see, this is not that much about how sophisticated the group is; it's more about the effectiveness. And also by having a wide variety of different malware, different ways of getting into the organizations -- the phishing, the fake social profiles, fake websites -- this also gives them a higher chance of success. And it may make it more difficult for attackers to track all of these attack surfaces, right, all of these aspects of the group's activities, and to have a solid defensive mechanism. I mean, if we look at the report we just put together, we talk about ISO images. Is this new? It's not really that new. We have seen this before. It was the first time that Transparent Tribe used these ISO images. PDF documents, again, nothing that new, right? Golang compiled all-purpose espionage tools. We have been reporting this over some time. If you have been following some of our quarterly threat reports, we often talk about how attackers are moving towards using cross-platform languages. So even though there's nothing relatively brand-new, we also talk about this quarter and Telegram being used. A lot of this software, it's slightly modified from something that is publicly available that you can find on detog (phonetic), for example. So there's nothing really highly sophisticated, but it shows that they know the tools are out there, and it shows that they know how to use them against very specific targets with a very specific motivation. Our goal is to make sure that defenders also know the variety of tools and techniques that these attackers can use.
Dave Bittner: That's interesting insight. I mean, I guess it speaks to the fact that you don't necessarily have to be terribly sophisticated if you are persistent.
Ismael Valenzuela: Absolutely, absolutely. And if you know how to leverage the human factor, right? Again, a lot of these things rely on phishing; it relies on convincing somebody that, hey, I have some information, or here's something that you might be interested in, install this for XYZ reasons. [ Music ]
Dave Bittner: And that's Research Saturday, brought to you by N2K's CyberWire. Our thanks to Ismael Valenzuela from BlackBerry's Threat Research and Intelligence team for joining us. The research is titled "Transparent Tribe targets Indian government defense and aerospace sectors, leveraging cross-platform programming languages." We'll have a link in the Show Notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the Show Notes, or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]