You are here

You are here

‘Dark Basin’: Prolific spear-phishers for hire

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Industry analyst and editor, RJAssociates
Phishing Reimund Bertrams
 

A little-known security company is accused this week of mercenary hacking. Researchers say BellTroX InfoTech Services phished countless individuals, advocacy groups, and for-profit companies.

In summary, the allegation is this: Unnamed actors paid the New Delhi firm to hack their victims, via carefully targeted email phishing attacks. BellTroX’s owner was indicted in 2015 on similar charges. Code-named Dark Basin by Citizen Lab researchers, the operation is even said to have phished a minor—the child of one of the targets.

And the operations were huge: tens of thousands of targets, over at least seven years. In this week’s Security Blogwatch, we stare open-mouthed.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: thine mal-allure.

Allegedly Sumit & Co.

What’s the craic? Jack Stubbs, Raphael Satter, Christopher Bing, Alasdair Pal, and Ryan McNeill tag-team—Indian cyber firm spied on politicians, investors worldwide:

[An] Indian IT firm offered its hacking services to help clients spy on more than 10,000 email accounts over a period of seven years. … BellTroX InfoTech Services targeted government officials in Europe, gambling tycoons in the Bahamas, and well-known investors in the United States …  according to three former employees, outside researchers, and a trail of online evidence.

Researchers at internet watchdog group Citizen Lab, who spent more than two years [investigating, said] they had "high confidence" that BellTroX employees were behind the espionage. … Tens of thousands of malicious messages designed to trick victims into giving up their passwords … were sent by BellTroX between 2013 and 2020. … On the list: judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States.

While [we’re] not able to establish who hired BellTroX to carry out the hacking, two former employees said the company and others like it were usually contracted by private investigators on behalf of business rivals or political opponents. … The company’s owner, Sumit Gupta, declined to disclose who had hired him and denied any wrongdoing. … “I just helped them with downloading the mails. … I was just helping them with the technical support.”

[He also] said he had never been contacted by law enforcement. [But] Gupta was charged in a 2015 hacking case in which two U.S. private investigators admitted to paying him to hack the accounts of marketing executives. Gupta was declared a [U.S.] fugitive in 2017.

Gupta did not return follow-up messages and repeatedly declined to talk when [we] visited him at his office. … Delhi police and India’s foreign ministry did not respond to requests for comment.

And Paul Murphy, Kadhim Shubber, and Derek Brower add—Hackers for hire ‘targeted hundreds of institutions’:

Researchers discovered almost 28,000 web pages created by hackers for personalised “spear phishing” attacks designed to steal passwords, according to a report … by Citizen Lab, part of the University of Toronto. … The report said a large group of targeted individuals and organisations were involved in environmental issues and had campaigned against ExxonMobil, the US oil producer.

Federal prosecutors in Manhattan interviewed environmental groups targeted in the hacking effort earlier this year, according to people familiar with the matter. The Southern District of New York declined to comment. … Exxon said it had “no knowledge of, or involvement in, the hacking activities.”

According to … its website, BellTroX also provided medical transcription services to healthcare providers in the US, UK, Australia and Canada. Its LinkedIn page said: “Our services are being used by a number of NHS Trusts.”

BellTroX … advertised services such as “cyber intelligence” with the slogan “you desire, we do!” The group’s website was taken down in recent days, and its phone number is disconnected. BellTroX did not respond to a request for comment.

This is huge. Citizen Lab’s John Scott-Railton, Adam Hulcoop, Bahr Abdul Razzak, Bill Marczak, Siena Anstis, and Ron Deibert are Uncovering a Massive Hack-For-Hire Operation:

We give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents. … While we initially thought that Dark Basin might be state-sponsored … with high confidence, we link Dark Basin to BellTroX InfoTech Services … (also known as “BellTroX D|G|TAL Security,” and possibly other names). BellTroX’s director, Sumit Gupta … alias Sumit Vishnoi … was indicted in California in 2015 for his role in a similar hack-for-hire scheme.

Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. … We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy.

[Our] open source intelligence … suggests that [Dark Basin] and their clients do not expect to face legal consequences and that the use of hack-for-hire firms may be standard practice within the private investigations industry. … Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms … to pharmaceutical companies.

The extensive targeting of American nonprofits exercising their first amendment rights is exceptionally troubling. … Dark Basin has extensively targeted … climate advocacy organizations and net neutrality campaigners [including] Rockefeller Family Fund, Climate Investigations Center, Greenpeace, Center for International Environmental Law, Oil Change International, Public Citizen, Conservation Law Foundation, Union of Concerned Scientists, M+R Strategic Services, 350.org …  Fight for the Future and Free Press.

Dark Basin’s targeting revealed a highly detailed and accurate understanding of their targets and their relationships. … In at least one case a target’s minor child was among those targeted with phishing. … We concluded that Dark Basin operators were likely provided with detailed instructions … about whom to target.

The magic of India? Veqq tells a tale of two cities:

India has more people than all of North and South America and Europe combined. Yes, there are millions of IT professionals, but less than 1% of the population comprises the call center and outsourcing people we think of.

There are hundreds of millions of Indians without running water or electricity at home. … Until these bigger problems are overcome, something like internet policy will be ignored.

But surely this would never happen in the US? Sex_Drugs_and_Cats disabuses thuswise:

We have private intelligence agencies in the US, which the US government does sometimes hire (perhaps more to provide plausible deniability if they are involved in shady stuff than because they offer any capabilities our intelligence agencies don’t already have).

I don’t understand why people are acting like the idea of a private intelligence firm is unusual or unique to India. Don’t get me wrong, it’s extremely messed up that they exist, but they’re all over the place, including right here.

But what can DevOps do? Here’s miohtama’s advice:

In most cases, forcing staff to use two-factor authentication is enough to block most of attempts. Employees can still leak their passcode once … but there is much less risk of persistent compromise.

But Jarwulf emits a resounding “meh”:

Everybody is being spied on all the time. Privacy is a dead concept, killed when the kids we imagined would be the anti-corporate cyberpunk freedom fighters grew up instead to be the hipster 'anticorporate' consumerist instagram and tiktokcrew whose idea of being anti-corporate is buying a Starbucks fairtrade coffee.

The only security we have left is how much the person hacking us and the powers that employ him is concerned about us personally.

As an Indian, Induputra is in two minds:

As an Indian, shahbash! … Every country is spying on every other, good that Indians are getting in on the game too.

As a private citizen, I am going to use TOR with everything. This **** is scary.

Meanwhile, nospam007 makes the obvious low-effort gag:

These spying jobs were outsourced to India.

The moral of the story?

Industrial and nonprofit espionage are very real and present dangers. Counter phishing threats with red-team exercises, 2FA/MFA, or even passwordless auth, where appropriate.

And finally

Thee and me could write a bad romance

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

The origin of this week’s magnificent hero image is Reimund Bertrams (Pixabay license)

Keep learning