Pakistani APT targeted Indian Railways with Spear-Phishing Campaigns

According to an intelligence agency in India, the Pakistani state-sponsored hacking group named “APT36” seeped through the Indian Railways network by using spear-phishing and hacked four of its critical computer systems by infecting them with the malware.

APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

On Friday, the sources said that the Pakistan-based threat actor had been stealing sensitive data from those four compromised systems and storing it on remote servers.

News site ThePrint cited an individual who said that the “three of the computers identified are located in the ministry, one is the personal computer of a top vigilance officer from the railways.”

Also Read: Google says COVID-19 themed attacks rising in India, Brazil, and the UK

In May, the Indian intelligence agency had notified the Ministry of Railways about this incident, in a letter that said, “Indian Railways may identify the infected computers and take immediate steps to sequester, cleanse and secure the computers.”

“APT36 cyber threat actors are targeting various government sectors including defence, central police organisations, education, healthcare, etc.,” the letter also stated. “The modus operandi is to deliver Crimson RAT (Remote Access Trojan) malware embedded in MS Office documents to steal information from the victim computers.”

In response to the queries asked by ThePrint about this incident, the Ministry of Railways spokesperson D.J. Narain said the issue is “very old”, without specifying how old it was. “We have nothing to say on this. All we can say is we are all safe,” he added.

Whereas, the Indian Railways Board Chairman V.K. Yadav said “It has not come to our notice that some information has been leaked. Our systems are secure and our engineers keep on working on it.”

APT36 – a Pakistani state-sponsored hacking group had also been seen targeting individuals and organizations from the India. They used coronavirus-themed spear-phishing emails that deployed a RAT variant called Crimson RAT into the targeted systems to collect sensitive information.

APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT.

In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters. They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details.