Seqrite reveals coordinated Pakistani APT campaigns targeting Indian government entities
Seqrite, the enterprise division of global cybersecurity provider Quick Heal Technologies Limited, has uncovered and analyzed a series of sophisticated cyber campaigns aimed at critical Indian government entities. These advanced persistent threats (APTs), attributed to several Pakistan-based threat actors, mark a notable escalation in cyber operations targeting India’s defense and infrastructure sectors.
Research conducted by Seqrite Labs’ APT team, India’s largest malware analysis facility, has uncovered a sophisticated network of interconnected APT groups, including Transparent Tribe (APT36), SideCopy, and RusticWeb. These groups have been observed sharing infrastructure, tactics, and malware components, revealing an unprecedented level of coordination among them. The campaigns have specifically targeted strategic Indian assets, such as the Indian Air Force, shipyards, and ports.
A significant finding of the investigation was the identification of open directories hosting malware associated with both Transparent Tribe and SideCopy. Researchers discovered a single domain serving payloads for both SideCopy and APT36, aimed at Windows and Linux environments respectively. This overlap, coupled with shared command and control (C2) infrastructure, strongly indicates a convergence of operations among these previously separate threat actors.
Seqrite’s analysis has uncovered several new malware variants. One notable discovery is a .NET-based payload named Geta RAT, which includes browser-stealing functionality similar to Async RAT. Another variant, Action RAT, was found being side-loaded by charmap.exe, diverging from previously used system binaries. Additionally, Transparent Tribe was identified using a Golang-based downloader for Linux systems, which retrieves a final payload called DISGOMOJI, showing links to SideCopy’s infrastructure.
The APT groups employed advanced social engineering tactics, using themes related to salary increments, naval project reports, and government documents as bait. Many of these decoys were based on publicly available documents, highlighting the attackers’ efforts to craft convincing phishing schemes. This coordination among the APT groups represents a significant shift in the cyber threat landscape against India, necessitating a reassessment of cybersecurity strategies at the highest levels of government and critical infrastructure.
Seqrite’s research team performed a thorough technical analysis of the malware involved in these campaigns. They discovered that the attackers were testing their evasion techniques against antivirus solutions in Pakistan. Simultaneously, traffic from Indian victims, typically routed through command and control (C2) servers in Germany, was being funneled via IPsec protocol through Pakistani IP addresses, as confirmed by Team Cymru.
The extent of these campaigns was broad, with Transparent Tribe’s Poseidon malware targeting Linux platforms through themes like ‘Posting/Transfer under Ph-III of Rotational Transfer’, ‘Blacklist IP Address with TLP & Dates’, and ‘LTC checklist’. The group also utilized Crimson RAT with bait themes such as ‘Uttarakhand Election Result’ and ‘TDS Claim Summary’.
To mitigate these threats, Seqrite recommends that organizations implement robust security measures, including up-to-date antivirus and anti-malware solutions, strong authentication mechanisms, regular security awareness training, and timely updates for all systems and software. Additionally, Seqrite advises adopting network segmentation and the principle of least privilege to reduce the impact of potential breaches.
Seqrite Labs has provided detailed indicators of compromise and MITRE ATT&CK mappings to help organizations detect and defend against these threats. The team continues to monitor these threat actors and will offer updates as new information emerges.