A multi-year investigation by Citizen Lab has unearthed a hack-for-hire group from India that targeted journalists, advocacy groups, government officials, hedge funds, and human rights defenders.
Citizen Lab revealed in a blog post published Tuesday that the hack-for-hire group's identity was established after the security firm investigated a custom URL shortener that the group used to shorten the URLs of phishing websites prior to targeting specific individuals and organisations. Citizen Lab has named the group as "Dark Basin".
"Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy," the firm said.
It added that the hack-for-hire group targeted thousands of individuals and organisations in six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders, and is linked to BellTroX InfoTech Services, an India-based technology company.
Based out of Delhi, BellTroX InfoTech Services calls itself "one of the World's premier transcription & digital dictation provider for numerous hospitals, clinics, expert witnesses, independent practitioners and commercial organisations."
The IT firm employs highly skilled and trained professionals in the area of medical, legal, and commercial transcription who offer low-cost transcription and digital dictation services to a large number of medical bodies around the world, including several NHS Trusts.
After investigating the custom URL shortener used by Dark Basin, Citizen Lab found that the shortener created URLs with sequential shortcodes and by exploiting this feature, the security firm unearthed almost 28,000 additional URLs containing e-mail addresses of targets.
The range of targets, that included two clusters of advocacy organisations in the United States working on climate change and net neutrality, made it clear to Citizen Lab that Dark Basin was not state-sponsored but was a hack-for-hire operation.
Apparently the Dark Basin group wasn't very smart in hiding their activities. Researchers could easily determine that the group operated from India as timestamps in hundreds of Dark Basin phishing emails were consistent with working hours in India’s UTC+5:30 time zone. Additionally, several of Dark Basin’s URL shortening services had names such as Holi, Rongali, and Pochanchi that are only used in India.
At the same time, Dark Basin left copies of their phishing kit source code available openly online, and log files revealed that the group conducted some testing using an IP address in India. The logging code in the group's phishing kit also recorded timestamps in UTC+5:30. What would have made the investigators chuckle the most was that several BellTroX employees used their CVs and other personal documents as bait when testing their URL shorteners.
As further proof of Dark Basin's links with BellTroX, researchers found that several BellTroX employees boasted capabilities like email penetration, exploitation, conducting cyber intelligence operations, pinging phones, and corporate espionage on LinkedIn. BellTroX’s LinkedIn pages also received endorsements from individuals working in various fields of corporate intelligence and private investigation, including private investigators with prior roles in the FBI, police, military, and other branches of government.
The list of organisations targeted by Dark Basin over the past few years includes Rockefeller Family Fund, Greenpeace, Conservation Law Foundation, Union of Concerned Scientists, Oil Change International, Center for International Environmental Law, Climate Investigations Center, Public Citizen, and 350.org. The hack-for-hire group also targeted several environmentalists and individuals involved in the #ExxonKnew campaign that wanted Exxon to face trial for hiding facts about climate change for decades.
A separate investigation into Dark Basin by NortonLifeLock Labs, which they named "Mercenary.Amanda", revealed that the hack-for-hire group executed persistent credential spearphishing against a variety of targets in several industries around the globe going back to at least 2013.
"During that time, a total of 220 identified target organisations around the world with over 1,800 individual targeted email addresses were observed. Tight clusters of verticals in the phishing attacks suggest motives of financial, industrial as well as political espionage.
"The target list assembled during our investigation indicates campaigns against environmental advocacy groups, investment businesses and financial journalists, law firms, and political consulting, as well as dozens of individual targets that do not bunch into one of the categories," the firm said.