Security researchers have uncovered a major new hacking-for-hire operation against journalists, rights groups, government officials, financial institutions and others, seemingly orchestrated by a shady Indian tech firm.
Thousands of individuals and hundreds of organizations globally were targeted with cyber-espionage tactics in a multi-year campaign by the Dark Basin group, according to Citizen Lab.
Linked to Indian firm BellTroX InfoTech Services, the group apparently worked “on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories and advocacy.”
Although the group targeted financial services and pharmaceuticals players for its clients — including one campaign against those investigating market manipulation by German payment processor Wirecard AG — it frequently focused efforts on advocacy and civil society groups.
These include Greenpeace, the Rockefeller Family Fund, Public Citizen and the Union of Concerned Scientists. Dark Basin phished for info from groups working on the #ExxonKnew campaign, which alleged ExxonMobil hid info about climate change for decades, and those involved in trying to preserve net neutrality in the US, the report claimed.
Its links to BellTrox — whose director, Sumit Gupta, was indicted in 2015 for his role in a similar hack-for-hire scheme — are numerous.
Phishing activity aligned with the Indian time zone, and several of the URL shortening services used by the group — Holi, Rongali, and Pochanchi — have associations with the sub-continent.
Even more damning is the fact that some individuals claiming to work for BellTrox list activities on LinkedIn such as email penetration, exploitation and corporate espionage.
“We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners,” the report continued.
“They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker.’ BellTroX’s slogan is: ‘you desire, we do!’”
The investigation started when Citizen Lab was contacted by a journalist who had been targeted with phishing attempts. After tracing the URL shortener used, the investigators were able to identify almost 28,000 additional URLs containing e-mail addresses of targets.
These fairly unsophisticated phishing efforts are said to have had at least some success.
Citizen Lab warned that its findings indicate that there’s likely a large and growing market for hacking-for-hire services like this, with powerful organizations outsourcing cyber-espionage to third parties to maintain plausible deniability of their involvement, while posing a major threat to open democratic societies.