Cyber-Mercenary Group Void Balaur Attacks High-Profile Targets for Cash

A Russian-language threat group is available for hire, to steal data on journalists, political leaders, activists and from organizations in every sector.

Russian-language group Void Balaur, also tracked under the name Rockethack, has been identified as a prolific cyber-mercenary group, available for hire to break into the email and social-media accounts of high-profile, high-stakes targets around the world.

After monitoring Void Balaur for more than a year, Trend Micro has released a report that identified more than 3,500 of the group’s targets. Amnesty International has likewise identified cyberattacks on activists and journalists working in Uzbekistan that were carried out by the cybermercenary service.

“Our research revealed a clear picture: Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it,” the Trend Micro report said.

For a premium fee, the group can often provide total copies of mailboxes, stolen without the assistance of the targeted user, Trend Micro reported.

Void Balaur Gets Raves In Underground Forums  

Enterprising, and forever collecting troves of data that could be sold later, Void Balaur’s activities date back to 2015, Trend Micro analysts said. By 2019, the group was selling intensely personal data collected on Russian citizens, including criminal records, credit history, flight records, account balances and printouts of SMS text messages, the report explained. The group also sells cell-phone data, which was most likely acquired by bribing telecom employees or insiders, the report added.

Popular targets of the group include media and political news websites, journalists and human rights activists, Trend Micro said.

Register now for our LIVE event!

“Void Balaur is not averse to going after more high-profile targets either, as the group also launched attacks the former head of an intelligence agency, active government ministers, members of the national parliament in an Eastern European country, and even presidential candidates,” it added.

The group currently advertises its services on Russian underground forums Darkmoney and Probiv, Trend Micro found.

“Void Balaur seems to be highly respected in these underground forums, as the feedback for their services is almost unanimously positive, with their customers pointing out the threat actor’s ability to deliver the requested information on time, as well as the quality of the data being provided,” the report said.

The group uses malware tools like the Z*Stealer credential stealer and DroidWatcher, which steal data and sport added tracking and spying capabilities, Trend Micro reported. The firm offered Void Balaur’s indicators of compromise as part of its report.

Void Balaur Targets Data Troves

The group has also launched attacks against cryptocurrency exchanges like EMXO, which the report said has been victimized multiple times by Void Balaur.

In Sept., the group targeted the intelligence agency head, government ministers and the two members of an Eastern European parliament, Trend Micro reported, but there have been attacks since 2020 on government officials and candidates in countries including Armenia, Belarus, France, Itlay, Kazakhstan, Norway, Russia and Ukraine, the report said. Void Balaur is also active in the U.S., Israel and Japan, the researchers found.

Throughout 2020, Void Balaur attacked one Russian conglomerate for more than a year, demonstrating its patience and persistence, Trend Micro said. It targeted the organization’s board members, executives and even family members of the billionaire company owner.

The group seems to be willing to work in just about any sector that offers troves of valuable data, Trend Micro found in its analysis, including telecom, radio and satellite communications, banking, aviation and medical insurance; and even in-vitro fertilization (IVF) clinics in Russia, biotech and genetic testing.

“What makes Void Balaur stand out from most cybercriminal groups is the sheer number of different types of criminal activity they’re involved in,” Archie Agarwal, CEO of ThreatModeler, told Threatpost in response to the report. “It would seem that they operate in almost every industrial sector, type of data and even target high profile individuals. They certainly don’t appear to discriminate.”

Rise of the Cyber-Mercenaries

Trend Micro concluded that the cybermercenary ecosystem is being bolstered by global governments’ interest in using these malicious actors as part of their national cybersecurity strategies.

“First, the services and tools of cyber-mercenaries can be used in offensive attacks against terrorism and organized crime, and for targeting foreign assets,” the researchers warned. “Second, they can also be sold to other countries and used as an economic or political tool in foreign policy. Though this might benefit some countries, it also poses a tremendous risk of possible backlash when malicious elements use these tools. Even worse, tools that have been sold overseas might end up being used against citizens of the country that originally exported these tools.”

Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.

Register NOW for the LIVE event!

Suggested articles