Cybersecurity: APT36 Spear-Phishing Campaign Targeting Indian Government

The advanced persistent threat group APT36, also known as TransparentTribe, has initiated a spear-phishing campaign targeting Indian government entities. This operation utilizes email lures themed as “NIC eEmail Services” to deceive recipients.

This campaign employs lookalike domains and malicious infrastructure to obtain credentials and facilitate long-term espionage activities. It begins with emails that mimic official notifications from the National Informatics Centre (NIC), which is the digital backbone for the Indian government’s email and IT services.

Phishing Techniques and Infrastructure

Victims encounter a fake login portal labeled “NICeMail Services,” which is designed to collect sensitive information such as email addresses and passwords. The login interface imitates the legitimate NIC webmail portal, enhancing the campaign’s credibility and effectiveness.

The malicious infrastructure comprises several domains and servers associated with recent APT36 activities, including:

• accounts.mgovcloud[.]in.departmentofdefence[.]live: Hosts the phishing page and captures user credentials.
• departmentofdefence[.]live: A parent domain that enhances credibility through its apparent government affiliation.
• 81.180.93[.]5: Linked to a “Stealth Server” Command & Control (C2) interface, used for data exfiltration and malware control.
• 45.141.59[.]168: Another IP involved in the campaign, potentially facilitating C2 communications.

The phishing domain has a valid TLS certificate, which helps to avoid browser warnings and increases perceived legitimacy.

APT36’s Espionage Activities

APT36, or TransparentTribe, is known for targeting Indian defense, diplomatic, and government organizations. The group’s typical methods include spear-phishing and customized malware delivery to achieve data theft and espionage.

The group continually adapts its tactics, utilizing realistic phishing pages and exploiting current geopolitical events to increase victim engagement. The current campaign, masquerading as a routine NIC service notification, demonstrates the group’s ability to exploit trust and evade basic security measures.

Mitigation Strategies

Security experts recommend that Indian government users and related organizations exercise increased caution, particularly when entering credentials on unexpected or unofficial portals. Indicators of compromise, such as the listed domains and IP addresses, should be blocked at the network level.

IT departments are encouraged to implement multifactor authentication and monitor for credential abuse or unusual login activities. These measures are crucial in countering APT36’s attack vectors. Due to the group’s persistent and adaptive strategies, maintaining proactive defense and cyber hygiene is essential for protecting sensitive government systems against state-sponsored threats.