A cyberespionage group known as BAHAMUT has been linked to a “staggering” number of ongoing attacks against government officials and private-sector VIPs in the Middle East and South Asia, while also engaging in wide-ranging disinformation campaigns.
That’s according to BlackBerry researchers, who said that the highly resourced group is probably operating on a mercenary basis, offering their services to the highest bidder.
“BAHAMUT is behind a number of extremely targeted and elaborate phishing and credential-harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more,” said Eric Milam, vice president of research operations at BlackBerry, in a report issued on Wednesday.
He added, “They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show an exceptional attention to detail and above all are patient – they have been known to watch their targets and wait for a year or more in some cases.”
Researchers also found that BAHAMUT is running reams of fake-news entities – ranging from fraudulent social-media personae to stewarding entire news websites built to include disinformation.
“The sophistication and sheer scope of malicious activity that our team was able to link to BAHAMUT is staggering,” said Milam.
BAHAMUT – the name, in Arabic lore, of a sea monster that provides the support structure that holds up the earth – focuses mainly on carrying out classic espionage activity, according to researchers.
Mobile and Phishing Cyberattacks
While it distributes custom Windows malware and uses various zero-days, the group has notably recently embraced mobile: The report uncovered nine malicious iOS applications that had been available in the Apple App Store, and an assortment of Android applications that BlackBerry said are “directly attributable” to BAHAMUT, based on unique fingerprints.
“The applications were complete with well-designed websites, privacy policies and written terms of service – often overlooked by threat actors – which helped them bypass safeguards put in place by both Google and Apple,” the researchers said.
The apps in reality functioned as backdoors, with espionage capabilities that fluctuated across samples. All of them had the ability to enumerate filetypes on the devices and upload any potential file of interest. Other functionalities included the ability to enumerate device information, access contacts, access call records, access SMS messages, record phone calls, record audio, record video, download and update the backdoor, and track GPS location, researchers said.
They added that some of the targets for the mobile apps were specific to the United Arab Emirates (downloads were region-locked to the UAE); also, they observed Ramadan-themed applications and those pertaining to a Sikh separatist movement.
Phishing is another part of the group’s core competency, and its methods are unique.
“BAHAMUT’s phishing and credential harvesting tradecraft is significantly better than the majority of other publicly known APT groups,” the firm noted. “This is principally due to the group’s speed, their dedication to single-use and highly compartmentalized infrastructure, and their ability to adapt and change, particularly when their phishing tools are exposed.”
The phishing exercises that the group carries out for credential harvesting happen only after “concerted and robust reconnaissance operations” aimed at very precise targets, researchers noted.
BAHAMUT also stands up new phishing infrastructure on an ongoing basis, with targeted spear-phishing operations lasting anywhere from a few hours to a few months, depending on the domain and success rates.
“This embrace of ever-fleeting infrastructure makes real-time detection all but impossible,” according to the report.
Fake Websites for Attacks and Disinformation
In addition to its more traditional efforts, BAHAMUT is also distinctive in its use of original, painstakingly crafted websites, applications and personae to carry out cyberattacks, as well as spread fake news and misinformation, according to researchers.
Dozens of the fake sites were seen to serve up malware or exploits; while others tied into BAHAMUT phishing servers, or acted as command-and-control domains for BAHMAUT backdoors.
On the disinformation front, several of the fake websites researchers identified deal directly with a common theme: The 2020 Sikh Referendum, which has been a hotbed issue within India since late last year. This is essentially a secessionist movement, the brainchild of an organization called “Sikhs for Justice” (SFJ), which was banned by the government of India in July of 2019.
In some cases, social-media accounts were created and linked to the news sites, to make them seem more legitimate.
One site, called Techsprouts, was once a legitimate technology news site run by a journalist from India, which is now defunct. Its purpose left researchers scratching their heads.
“The group took over the domain of what was originally an information security news website and began pushing out content focused on geopolitics, research, industry news about other hack-for-hire groups,” according to the report – along with news about exploit brokers like the NSO Group.
Fake contributor to Techsprouts. Source: BlackBerry
“Within the past year…BAHAMUT appears to have re-registered the Techsprouts domain and continued to operate it,” according to the report – which added that the new site has an impressive list of “contributors.”
“Their biographies are impressive, but upon further inspection, it is apparent that the thumbnail photos of each author seen throughout the site have been appropriated from other sites and other people with quite different names,” the report explained. “For example, the image of ‘Alice Jane,’ a senior writer, was actually that of Julie Luck, the evening anchor at the local CBS station in Greensboro, N.C.”
In this case, the content isn’t overtly fake or malicious, leaving researchers wondering what its purpose is.
“[Other researchers] posited that the group used sites like this (though not Techsprouts specifically) as a way to discern the click habits of their targets,” according to the report. “BlackBerry is unable to verify this theory, though it certainly seems well within the realm of possibility.”
Hackers for Hire
The group overall is using a wide range of tools, tactics and techniques (TTPs), and researchers said that “at least one zero-day developer reflects a skill-level beyond most other known threat-actor groups today” – all of which suggests that the group is extremely well-funded and well-resourced.
This is borne out further by BAHAMUT’s startlingly good operational security (OpSec). Notably, there is no domain or IP address cross-over between operational functions in the group’s current tradecraft.
“We find, for example, that no domains or IP addresses used to control or distribute Windows malware are used for phishing or to administer malware designed for any other operating system,” according to the report. “Similarly, it is rare that any single server is used for more than a single mobile application at any given time. BAHAMUT ensures that no hosting provider is leveraged too heavily and spreads its current active infrastructure across more than 50 different hosting providers, thereby ensuring operational continuity if any single campaign is identified or a set of malware samples is disclosed. This is likely enormously time consuming, expensive, and requires considerable attention to detail.”
As for the victimology, apart from somewhat clustered targeting in South Asia and the Middle East, the targets run the gamut in terms of political ideology, which lends credence to the “hacker for hire” theory – the targeting “is all over the place,” according to researchers.
In looking at code-based similarities and unique string-based similarities, researchers said they was able to connect the dots between shadowy, “unsolved” APT incidents that have been spotted going back for years.
“BAHAMUT leverages publicly available tools, imitates other threat groups and changes its tactics frequently, which has made attribution difficult in the past,” researchers said. “However, BlackBerry reports with high confidence that the threat group is behind exploits researched by over 20 different security companies and nonprofits.”
Specifically, the threat groups identified as EHDevel, Windshift, Urpage and the White Company, along with the unnamed threat group in Kaspersky’s 2016 “InPage zero-day” research.
In all, given the extensive capabilities, links to disparate nation-state-linked APT activity, and lack of focused targeting, researchers concluded that BAHAMUT is one sprawling group that sells services to the highest bidder, including governments.
“Operational security will become increasingly important as more and more intelligence functions are outsourced by governments, corporations, and private individuals to groups like BAHAMUT,” according to the report. “These third parties add a layer of plausible deniability for those who employ them.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.
