Threat Watch

Dark Basin Hack-for-Hire Group

Dark Basin: After targeting thousands of individuals and organizations worldwide, the identity and operations of a hack-for-hire group known as Dark Basin has been disclosed by researchers at Citizen Lab. The group conducted commercial espionage against customers or opponents of their clients who hired them. According to Reuters, who broke the news, the group was an Indian-based InfoSec services company called BellTroX according to researchers and former employees of the company. The group would attack their targets by sending highly targeted phishing emails through Gmail accounts or self-hosted email accounts. Through the use of URL shorteners used to mask phishing websites, the websites appeared as legitimate online services such as Gmail, Yahoo Mail, Facebook, and other companies. In total, over 27,591 unique phishing pages were discovered by researchers by tracking the targets of shortened URLs. Several clues led researchers to discover the link between Dark Basin and BellTroX such as working hours and consistent names within the shortened URLs being in line with Indian working times and names. Furthermore, overlaps from employees to Dark Basin were discovered through the use of personal documents being used as bait content when testing the URL shorteners. Social media posts from employees at BellTroX also lead researchers to the conclusion because posts included screenshots of Dark Basin infrastructure. The company denied the allegations that they were behind these attacks credited to Dark Basin, but former employees interviewed by Reuters confirmed the claims.

ANALYST NOTES

Hack-for-hire groups are often sought after by companies looking to carry out a practice known as “hacking back,” and to provide surveillance or inside information on competing companies. Acts such as these are illegal, which is why security companies, as a rule, do not offer these services. BellTroX likely tried to use words such as ethical hacking to mask their acts as legitimate, even though they were illegally hacking companies. There is a huge market for hack-for hire groups, and the number of groups or individuals willing to carry out these tasks is growing.

The Reuters article can be read here: https://www.reuters.com/article/us-india-cyber-mercenaries-exclusive/exclusive-obscure-indian-cyber-firm-spied-on-politicians-investors-worldwide-idUSKBN23G1GQ

The full report from Citizen Lab can be read here: https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/