A hack-for-hire group, called Dark Basin, has been outed after targeting thousands of individuals and organizations worldwide – including advocacy groups and journalists, elected and senior government officials, and hedge funds — over the course of seven years.
Dark Basin conducted commercial espionage on behalf of their clients, against customers’ opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy, according to researchers at Citizen Lab. In all, more than 10,000 victim email accounts were targeted, according to Reuters, who broke the news.
“Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign,” according to a report on Dark Basin released by Citizen Lab researchers on Tuesday. “At the request of several targets, Citizen Lab shared information about their targeting with the U.S. Department of Justice (DoJ). We are in the process of notifying additional targets.”
Citizen Lab first discovered the group in 2017 after it was contacted by a journalist who had been targeted with phishing attempts. The phishing was linked to a custom URL shortener, which was tied to a larger network of almost 28,000 URL shorteners containing the email addresses of targets and operated by Dark Basin.
Tactics, Techniques and Procedures
The group sent highly targeted phishing emails to its targets from a range of email accounts, including Gmail accounts and self-hosted accounts. The use of URL shorteners for masking phishing sites is a staple for the group – researchers said that over 16 months, they observed 28 unique URL shortener services that were operated by Dark Basin.
These malicious links led to phishing sites, designed to look identical to popular online web services such as Google Mail, Yahoo Mail, Facebook and others. These landing pages then stole the credentials of victims.
“Sophistication of the bait content, specificity to the target, message volume and persistence across time varied widely between clusters,” researchers said. “It appears that Dark Basin’s customers may receive varying qualities of service and personal attention, possibly based on payment, or relationships with specific intermediaries.”
Researchers tied the group to years of attacks against various targets. That includes at least two American advocacy groups who were requesting that the Federal Communications Commission (FCC) preserve net-neutrality rules in the U.S. (in a campaign previously uncovered by the EFF); U.S. non-governmental organizations Fight for the Future and Free Press; and journalists from multiple major U.S. media outlets.
For instance, the group targeted campaigners involved with #ExxonKnew, which is a campaign that claims that ExxonMobil hid information about climate change for decades. That included targeting #ExxonKnew campaigners’ family members with phishing emails – in at least one case a target’s minor child was among those targeted.
As part of their investigation, researchers linked the phishing attacks with highly targeted emails, purporting to come from other campaigners or from legal counsel involved in litigation against ExxonMobil, that referenced targets’ work on ExxonMobil and climate change. In other cases, Dark Basin sent emails with fake Google News updates involving ExxonMobil. The emails would then contain a malicious URL that brought victims to the landing page.
In 2016, a private #ExxonMobil email inviting campaigners to a January 2016 meeting was leaked by unknown parties to two newspapers, including the Wall Street Journal.
“The leak of the January 2016 email, as well as suspicious emails noticed by campaigners, led some present at the meeting to suspect their private communications may have been compromised,” said researchers. “We later determined that all but two recipients of the leaked January email were also Dark Basin targets.”
BellTroX InfoTech Services
Researchers also associated Dark Basin to BellTroX InfoTech Services, an India-based technology company, with “high confidence.” Threatpost has reached out to BellTroX InfoTech Services for comment but had not heard back by publication time.
“We are an independent firm of transcriptionists, designers, developers, engineers, consultants and technical specialists offering a broad range of professional services. Through our work, we make a positive difference in the world,” according to BellTroX’s website.
Several clues led researchers to link Dark Basin to the company. Initially, researchers found that timestamps in the phishing emails were consistent with the working hours in India’s UTC+5:30 time zone. Several of Dark Basin’s URL shortening services also had names associated with India (Holi, Rongali and Pochanchi, for example).
Then, upon further investigation, they were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a C.V. (resume), as bait content when testing their URL shorteners.
The employees also put up social-media posts taking credit for attack techniques, which contained screenshots of links to Dark Basin infrastructure, researchers said. The company’s “staff activities” listed on LinkedIn include email penetration, exploitation, corporate espionage and more.
“BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker,'” they said. “BellTroX’s slogan is: ‘you desire, we do!'”
As of Sunday (June 7) BellTroX’s website began serving an error message. Researchers said that since then, postings and other materials linking BellTroX to these operations have been recently deleted.
Researchers said that they believe that in at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals – leading them to conclude that Dark Basin had “some success” in gaining access to the email accounts of one or more advocacy groups.
Researchers said that the utilization of hack-for-hire firms may be fueled by an increasing normalization of commercialized cyber-offensive activity, including surveillance and “hacking back.” Recently for instance, researchers with Google’s Threat Analysis Group (TAG) warned that they’ve spotted a spike in activity from several India-based firms that have been creating Gmail accounts that spoof the World Health Organization (WHO) to send coronavirus-themed phishing emails.
“Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry,” Citizen Lab researchers said. “Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations.”