[ Music ] >> You're listening to the CyberWire Network, powered by N2K. [ Music ] >> Identity architects and engineers simplify your identity management with Strata. Securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge, and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire, and our thanks to Strata for being a longtime friend and supporter of this podcast. [ Music ] >> Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bitner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ] >> Transparent tribe has been around for a long time, at least a decade. The early reports point to 2013 around that time. And as many of these groups, they have been evolving the tactics on a regular basis, and this is what we see with transparent tribe as well. >> That's Ismail Valenzuela, vice president of Threat Research and Intelligence, from Blackberry's Threat Research and Intelligence team, discussing their work on transparent tribe targets Indian government, defense, and aerospace sectors, leveraging cross-platform programming languages. [ Music ] >> I had the pleasure to lead a team of very capable and professional experts on threat research and doing intelligence. So we monitor the threat landscape, and we obviously are doing these things for the sake of protecting our customers, right, from any of these attacks. We have a significant presence in Asia Pacific, and I would say that what's been happening in Asia Pacific in the last few years is very interesting. So we do have a -- we keep an eye on all of these activities. >> Well, let's talk about the group itself. I mean, what should people know about transparent tribe? >> Yeah, so transparent tribe has been, as I said before, out there for about 10 years. And it's not really -- I wouldn't call it a very highly sophisticated group based on the artifacts, I like to call it weapons, right, the weapons that they use. They use a lot of open source. They use a lot of freely available commodity malware, commodity toolkits. They have been using phishing attacks. They have been using social media, fake profiles, fake websites as waterhole attacks. And one of the things that we can -- that help us to identify this group distinctly is definitely their targeting. Based on our research, this group has been largely interested in India. And if we look at the geopolitical issues around this region, we can see that based on the research of not just Blackberry, but other research teams out there in the industry, we can see that this group is either based out of Pakistan or aligned, very aligned with the nation. >> Well, let's talk about the types of things that they're after here. I mean, what does an attack by transparent tribe typically look like? >> Well, so over the years, we have seen how they have been targeting India specifically. But also other nations outside of India, US, Europe, Australia. But the prime target seems to be -- seems to remain India. They have been targeting government -- government bodies. But also, they have been targeting human rights activists within Pakistan itself, right? Which, again, it clearly aligns to certain objectives. There are some reports that have been issued in the past, especially around 2016, 2017, that indicate very clearly that the people behind this group could be, even within the military, Pakistani military. There is a very interesting report from Amnesty International from 2018 that talks about specific campaigns against human right defenders in Pakistan and how this group, for example, used fake social media profiles, targeted phishing attacks, trying to steal their Google Facebook credentials in order to access information from these people. And this malware that is well known as Crimson, it's a type of a stealer, remote access tool used for long-term digital surveillance, essentially. So we have seen this type of a toolkit being used a lot against these different objectives that align to the objective, so for Pakistan and the military. Well, suppose that I was someone who they had their eye on here. Can you sort of walk us through what the campaign would look like? Yes, so for the one that we just documented in our report, we have seen, well, some very specific artifacts related to ISO images, lures related to, for example, Indian Defense Forces. We know that India has invested heavily in cybersecurity in the last few years. They have been investing a lot in specific versions of Linux for them, and they have been also investing heavily in traditional defense. So they're doing it with a lot of contractors, and this increases the chances that any of these specific objectives would be in the military, right? Indian military or government would be attracted to any of these lures, and that could be typically some sort of an email or phishing attack, or it could be a Warring Hall website. For example, we have seen some fake Indian news sites that have been created with the idea of targeting specific individuals within government or military. Now, if we're talking about human right activists and US journalists, maybe very familiar with this, this could be, for example, somebody that will try to friend you on a social media platform, maybe with a lure related to, hey, I have some information that might be interested to you, and that could include a link to one of these malicious sites that where you're going to be downloading some software that will compromise your machine. It could be, for example, some document that is weaponized, a Word document, or PDF documents, as we see in this campaign that we reported at Blackberry, or it could be also, hey, install this application on your phone for this particular purpose. We have seen this group over the years using Android, malware, and even iOS surveillance tools. We'll be right back. Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits, or are you lost in the sprawl? Enter Savvy Security. They help you surface every SaaS app, identity, and risk, so you can shine a light on shadow IT and risky identities. Savvy monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on, get Savvy about SaaS and harness the productivity benefits, fuel innovation while closing security gaps. Visit savvy.security to learn more. Yeah, it's interesting that you point out in the research that they are known for using a wide array of tools. Can you give us some examples of the types of things that we'll typically see them using? Yes, we have seen them using pretty much everything, as I mentioned before, Android tools, iOS tools, open-source tools, Windows tools, Linux. As I just mentioned before, this group knows that India has invested heavily in a very specific, hardened version of Linux distribution, and they're using these to target Linux specifically, this type of version, and that's why we see, for example, ELF. These are Linux binaries, and why we see these tools developed in cross-platform languages, for example, GoLang, as we report in this blog. So what are your recommendations for organizations to best protect themselves here? Well, one of the reasons why they also use Linux binaries is because a lot of organizations, they don't have a good protection outside of Windows, and we know that having a good layer of protection or Windows is not trivial, but many organizations neglect other platforms, like Linux servers, for example, organizations neglect those, macOS. So I always talk about having a good threat model, because these adversaries are going after something specific. If you're a journalist, you need to know who is out there, who's your adversary, who might be interested in compromising any of your systems to have some of the information you may have and might be of their interest. If you're an organization based out of Southeast Asia, are you working with any of these countries? The geopolitical issues around these countries are very, very interesting. We talked about India investing in Air Force, for example, bolstering their Air Force capabilities with... That's why we see attacks against aerospace and defense manufacturers in the region. Well, Pakistan has done the same thing. Beginning this year, I think it was FEP, 2024. They said they were going to invest over $36 million in national cybersecurity. We know that China is typically supporting a lot of these Pakistani initiatives, whereas the U.S. aligns typically with India. So if you are in the region conducting business, this should influence your threat model, and being updated with this type of information, knowing what are the tactics, the techniques, the procedures that attackers are using, the type of lures, the type of activities that they're using to compromise a particular device, sometimes even with physical access. If you have facilities in the region augmenting your physical security could also be very important, because we know that in some cases, there might be some physical access involved in some of these attacks too. So essentially, having a good threat model, knowing who might be after you, because you cannot defend against everything, and then using that threat model to focus your defensive strategy and having a holistic different strategy across all these different platforms. I think you mentioned this earlier in our conversation, but can you speak to the sophistication or lack thereof of this particular group? Transparent trial has traditionally used a relatively simplistic or non-sophisticated toolkits or attack chains. But as we see, this is not that much about how sophisticated the group is, it's more about the effectiveness. And also by having a wide variety of different malware, different ways of getting into the organizations, the phishing, the fake social profiles, fake websites, this also gives them a higher chance of success. And it may make it more difficult for attackers to track all of these attack surface, right? All of these aspects of the group's activities and to have a solid defensive mechanism. I mean, if we look at the report, we just put together, we talk about ISO images. Is this new? It's not really that new. We have seen this before. It was the first time that Transparent Tribe used these ISO images. PDF documents, again, nothing that new, right? Go like compiled all-purpose BONASH tools. We have been reporting this over some time. If you have been following some of our quarterly threat reports, we often talk about how attackers are moving towards using cross-platform languages. So even though there's nothing relatively brand new, we also talk about this core, the right in telegram being used. A lot of these software, it's slightly modified from software that is publicly available that you can find on GitHub, for example. So there's nothing really highly sophisticated, but it shows that they know the tools that are out there, and it shows that they know how to use them against very specific targets with a very specific motivation. Our goal is to make sure that defenders also know the variety of tools and techniques that these attackers can use. That's an interesting insight. I mean, I guess it speaks to the fact that you don't necessarily have to be terribly sophisticated if you are persistent. Absolutely. Absolutely. And if you know how to leverage the human factor, again, a lot of these things rely on fishing, relies on convincing somebody that, hey, I have some information or here's something that you might be interested in, install this for X, Y, Z reasons. And that's Research Saturday brought to you by N2K Cyberwire. Our thanks to Ismail Valenzuela from Blackberry's Threat Research and Intelligence team for joining us. The research is titled "Transparent Tribe Targets Indian Government Defense and Aerospace Sectors Leveraging Cross Platform Programming Languages." We'll have a link in the show notes. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliot Pelsman and Trey Hester. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carp. Simone Petrela is our president. Peter Kilpe is our publisher and I'm Dave Bitner. Thanks for listening. We'll see you back here next time. Quick question. Do your end users always work on company-owned devices and IT-approved apps? If the answer is no, then my next question is, how do you keep company data safe on all those unmanaged apps and devices? One password has an answer to this question, extended access management. One password, extended access management helps you secure every sign-in for every app on every device because it solves the problem traditional IAM and MDM can't touch. Check it out at onepassword.com/xn2. At onepassword.com/xam. That's onepassword.com/xn2. [Music]
