Operation Transparent Tribe targets Indian diplomats and military

ProofPoint uncovered a new cyber espionage campaign dubbed Operation Transparent Tribe targeting Indian diplomatic and military entities.

A new cyber espionage campaign dubbed Operation Transparent Tribe is targeting diplomats and military personnel in India. The researchers at Proofpoint who have uncovered the hacking campaign confirmed that threat actors used a number of hacking techniques to hit the victims, including phishing and watering hole attacks, and drop a Remote Access Trojan (RAT) dubbed MSIL/Crimson.

The MSIL/Crimson RAT used in the cyber espionage operation implements a variety of data exfiltration functions, including the ability to control the laptop cameras, take screen captures and keylogging.

The researchers discovered the campaign on February 11, 2016, when they noticed two live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan.

Proofpoint discovered that IP addresses involved in the attacks are in Pakistan, the attacks appear sophisticated and are part of a wider operation that relies on a network of watering hole websites and multiple phishing email campaigns.

The nature of the target and the methods used by attackers suggest the involvement of a nation-state attacker as explained by Kevin Epstein, VP of threat operations center at Proofpoint.

“This is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage,” Epstein told to ThreatPost. “In the world of crimeware, you rarely see this type of complexity. A nation-state using multiple vectors, that’s significant.”

State-sponsored hacking is becoming a privileged option for governments that target other states mainly for cyber espionage with the intent of gathering intelligence on political issues.

The campaign discovered by ProofPoint required a significant effort of the APT group that set up multiple websites used to serve the MSIL/Crimson RAT.

In one case, the ATP behind the Operation Transparent Tribe used malicious email to spread weaponized RTF documents exploiting the CVE-2012-0158 Microsoft ActiveX vulnerability that dropped the malware on the target’s machine.

MSIL/Crimson is a multi-stage malware, after infected the machine in the first stage, it downloads more fully featured remote access Trojan component.

The attackers also used rogue blogs news websites with an Indian emphasis to serve the dangerous RAT.

Enjoy the Operation Transparent Tribe report.

Pierluigi Paganini

(Security Affairs – Operation Transparent Tribe, India)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.