(844) 627-8267
(844) 627-8267

Espionage: Pakistani hackers target Make in India defence programs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

A seemingly innocuous email landed in the inbox of an Indian defence official. At first, his wary eyes dismissed it. But the sender – supposedly a renowned think-tank – held a certain weight. He clicked the mail and the attached PDF document circulated by one Shakeel Bhatti. By the time he realised it was a trap, sensitive data had already been stolen.

And it was not an isolated incident.

As per a report, three public sector defence equipment manufacturers as well as India’s security forces have been on the target of an espionage campaign run by a notorious Pakistani hacking group with suspected links to its military.

Transparent Tribe, known as Advanced Persistent Threat (APT) 36 among cybersecurity professionals, has been targeting employees in defence establishment, especially in companies that come under the Defence Ministry’s Department of Defence Production.

A cyberattack campaign designed to target personnel of the Indian Air Force (IAF), earlier reported by India Today, was also run by this group.

In its report, Canadian cybersecurity firm BlackBerry said it traced the roots of the online espionage campaign to Pakistani cities and identified Shakeel Bhatti as a group member.

Pakistan’s ‘Transparent Tribe’ largely uses phishing to deploy information-stealing malware.


Indian defence forces and state-run defence contractors were the focus of the Transparent Tribe between September 2023 and April 2024, the BlackBerry Research & Intelligence Team said in its report.

Phishing emails containing malware were sent directly to “one of the largest aerospace and defense companies in Asia”, “an Indian state-owned aerospace and defence electronics company” and to “Asia’s second-largest manufacturer of earth moving equipment, which plays a key role in the country’s Integrated Guided Missile Development Project by supplying ground support vehicles”, the report said without explicitly naming the targets.

The companies most likely are Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and Bharat Earth Movers Limited (BEML) – all headquartered in Bengaluru.

The attackers “carbon-copied” the online appearance of key officials within the Department of Defence Production to deceive their targets.

To get more targets to open the phishing mails, they used a wide range of subjects – from topics of general interest such as holiday camp in Rajasthan’s Jaisalmer, pension, provident fund, appraisal, an education loan application, and telephone directory to more professional subjects like the IAF headquarters’ public relations policy, unspecified invitations, concept paper for defence export, and minutes of review meetings.


The cyber-attackers sought to exploit the goodwill of many military-run and private entities that are widely recognised in defence circles. Website domains mimicking those of the Indian Computer Emergency Response Team (CERT-In), the Centre for Land Warfare Studies (CLAWS), Delhi Cantt’s Army Public School, and the Army Welfare Education Society which runs hundreds of army schools, were created and included in the espionage campaign to earn the trust of victims.

The attackers have used Discord, Slack, Telegram and Google Drive to export the stolen data.


The attackers have been using a variety of techniques and tools to deliver malware into targeted systems, with phishing emails being the preferred method. Malicious ZIP archives or executable and linkable format (ELF) files – that can run on different processor types – were delivered to target mailboxes.

ELF binaries are designed to monitor directories for specific file types, exfiltrating them to external servers.

The BlackBerrry report said the group relied heavily on ELF binaries to infiltrate the Linux-based operating system MayaOS that has indigenously developed for the defence sector.

The group also developed Python-based downloaders and Windows binaries that perform similar functions.

It deployed an “all-in-one” espionage tool based on Google’s open-source language called GoLang with capabilities to find and exfiltrate files with popular file extensions, take screenshots, upload and download files, and execute commands.

In addition, it continues to use ISO images as an attack vector as first reported by India Today.

These attacks leveraged cross-platform programming languages such as Python, GoLang, and Rust and exploited web services like Telegram, Discord, and Google Drive to export the stolen data.


Researchers at Blackberry found traces suggesting the involvement of Pakistan-based actors. For example, the time-zone variable for a file extracted from a malicious delivery package was set to “Asia/Karachi,” a Pakistani time zone.

Similarly, an ISO image used in the espionage campaign was submitted from Multan and a remote IP address linked to the phishing emails was traced to CMPak Limited, which is Pakistan-based and owned by China Mobile.

A 2018 report by cybersecurity firm Lookout said it believed Transparent Tribe was associated with the Pakistani military.

Published By:

Ashutosh Acharya

Published On:

May 27, 2024


Click Here For The Original Story From This Source.


National Cyber Security