Posted on June 10, 2020 at 1:01 PM
A recent report reveals that hundreds of institutions and thousands of individuals have been targeted by a hacker-for-hire syndicate known as “Dark Basin.”
According to internet security firm Citizen Lab, the victims include hedge funds, lawyers, elected officials, journalists, advocacy groups, as well as companies.
Yesterday, the security firm reported that the hackers created about 28,000 webpages for personalized “spear-phishing” attacks meant to steal passwords.
Hackers infected contentious areas in politics and business
According to the lead author of the report, John Scott-Railton, the hackers were busier in controversial areas in business and politics.
“We see them again and again in areas where business and politics are contentious,” he said.
The report revealed that several groups of targeted organizations and individuals were involved in environmental issues, as they campaigned against US oil producer ExxonMobil.
These targeted organizations include the Union of Concerned Scientists, the Conservative Law Foundation, Greenpeace, the Climate Investigation Center, as well as the Rockefeller Family Fund. However, Exxon says it wants to review the full report before commenting on the situation. The report added that the US Department of Justice (DOD) has relevant material.
There was another investigation organized by cybersecurity firm NortonLifeLock to look deeply into the hacking activity.
Citizen LAB stated that the impact of the Dark Basin has been massive as it has implicated several industries. The research group added that major example was targeting journalists, short-sellers, hedge funds, and Wirecard investigators who are working on accounting irregularities.
Wirecard is one of the most famous firms in Germany, which has had critical security issues for years. The company’s management board is being investigated for alleged market manipulation. But the execratives of the company have denied any misconduct.
Citizen Lab pointed out that the attackers targeted some individuals daily for several months. The security outfit also revealed that the private messages from some targeted individuals were released online.
The hacking group linked to an Indian firm
According to the report, the hackers-for-hire syndicate used to carry out attacks has been linked to BellTroX InfoTech, an Indian company that offers cyber intelligence services.
The company’s official phone number was disconnected and its website was taken down a few days ago. However, it has not responded to a request by email to comment on the development.
In 2015, an Indian national and several investigators were indicted by the US DoJ for their role in another hack-for-hire scheme. One of the accused received a custodian sentence while four of them pleaded guilty to the charge. The indicted Indian national is the director at BellTrox.
Hacking arraigned through a contractual payment
The Citizen Lab reiterated that similar hacking cases in the past were done through a shadowy set of information-sharing, payment, and contractual layers which may include private investigators and law firms. It offers the client the chance to have a level of distance and deniability on the contract in case something goes wrong.
The Citizen Lab started investigating this hacking activity in 2017 when a journalist from Reuters contacted the firm about the activities of the Wirecard and how it was the subject of a phishing attack.
Several other Financial Times journalists were also phishing targets as they received fake emails claiming to come from their friends or colleagues. Sometimes, to convince the victim, they lift photographs of their friends from social media accounts to impersonate the user.
Previously, the Financial Times revealed that a former Libyan intelligence chief funded a surveillance operation in London, which targeted some investors who were criticizing Wirecard.
The payment group yesterday said Wildcard AG has no relationship or link with any hacker group in India. “Wirecard AG has at no time been in direct or indirect contact with a hacker group from India,” the statement reads.
The Dark Basin group used phishing attacks that resemble emails from popular services such s LinkedIn, Dropbox, and YouTube. Their mails contained URLs, with pages designed to resemble login forms.
Citizen La pointed out that the persistence across time, message volume, specificity to the target, and sophistication of the bait content varied severely.
The security firm also reiterated that it identified multiple BellTrox employees performing similar activities as the Dark Basin because they made use of their documents as bait when they tested their URL shorteners.
In line with that, there were social media posts made by them, as they described Dark Basin infrastructure and took credit for their attack methods.