Pakistani Cybersecurity Firm Allegedly Is Stealing Indian Military and Government Intelligence

A cybersecurity company with ties to the Pakistani government allegedly is pocketing secrets from Indian agencies and defense companies.

American security research firm FireEye uncovered the campaign.

The Islamabad-based cyber firm, named Tranchulas, apparently has been positioning the Pakistani government for cyberwar.

This particular operation involved Tranchulas bombarding Indian officials with malware-laced emails. To bait targets into opening the messages, the subject lines contained terms such as “Sarabjit Singh,” “Devyani Khobragade,” and “Salary hikes for government employees.”

Once activated the malware would collect a variety of data from the victim’s computer and send it back to the attacker.

"They are essentially penetrating Indian government accounts to find out what the Indian government is up to," said Manish Gupta, FireEye senior vice president. "They are also targeting defense organizations. Some of the things that could be important to them could be what kind of weapons does India have, where are these weapons deployed, how many people are deployed in these regions, what is the organization structure, are there any military exercises planned."

At the beginning of the campaign, the malware in play contained code bearing the name of a Tranchulas employee, Umair Aziz.

"Once we confronted Tranchulas, the malware was modified and all references to the company were removed and replaced with some strings with Cert-In (Indian computer emergency response team) to masquerade themselves and show that the attacks were being carried out by Indian Cert," said Michael Oppenheim, a threat intelligence analyst at FireEye who discovered the malware.

The attackers used U.S. hosting services for their operations to avoid detection.

The Indian government denies any knowledge of this situation. "It is incorrect. We have only seen cases of website hacking. However, they hold only public data," said Gulshan Rai, director-general of the Indian Computer Emergency Response Team, or ICert.

However, a senior Indian intelligence official confirmed Indian establishments were targets of cyberspying. He said the attackers could not be traced: "We have seen many such attacks targeting Indian government and defense establishments coming from different parts of the world, but in cyberspace it is very hard to ascertain the actual source of an attack."

Tranchulas CEO Zubair Khan neither confirmed nor denied his firm is part of the cyber spying. Khan acknowledged his company does offer offensive services that help governments wage cyberwarfare.