'Hack-for-hire' group Dark Basin targets thousands of high profile individuals over seven years

News by Andrew McCorkell

The crosshairs from the ‘guns for hire’ Dark Basin group fell on senior government officials, advocacy groups, journalists and hedge funds around the world.

An obscure group in India directed commercial espionage for their paying clients, against opponents in financial transactions that were involved in high-profile public events, criminal cases, news stories and advocacy, according to researchers at Citizen Lab.

The researchers said the Dark Basin organisation targeted thousands on six continents, including senior politicians, government prosecutors, CEOs, journalists and human rights defenders.

“With high confidence, we link Dark Basin to BellTroX InfoTech Services (“BellTroX”), an India-based technology company,” the researchers said on a blog post.

Sarb Sembhi CTO & CISO of Virtually Informed said: “This type of business model has been around for a long time, whereas once it was mainly individuals who moved from one business to another, here we have one business that changed its name very slightly, employing attackers over a consistent period which enabled researchers to be able to collate the information.

“The reasons they are being called out now are the same reasons why others haven’t been called out in the past. Such services have always and will always exist as long as state actors and competitors are willing to pay the price and overlook their activities.”

Key findings from Citizen Lab

  • Dark Basin targeted advocacy groups and journalists, elected and senior government officials, hedge funds as well as multiple industries.
  • It targeted American non-profits, including those working on a campaign called #ExxonKnew, which claimed ExxonMobil hid information about climate change for decades.
  • The group was behind phishing of organisations working on net neutrality advocacy, as reported by the Electronic Frontier Foundation.
  • Dark Basin was linked with “high confidence” to an Indian company B, BellTroX InfoTech Services and its related entities.
  • Citizen Lab has notified hundreds of those targeted and shared information with the US Department of Justice (DOJ).

Paul Bischoff privacy advocate at Comparitech.com said: “The most striking part of the Dark Basin operation is how it was able to openly advertise its services without consequence. It clearly didn't fear any legal consequences that might arise despite much of its activity being blatantly illegal. I have to wonder, even after Citizen Lab's report, if authorities will go after Dark Basin.

“India is home to many phishing and scam operations that go about their business in broad daylight. Even if Dark Basin is shut down, another hack-for-hire business could replace it. So perhaps the best course of action is a further investigation to reveal its clients and take legal action against them.”

In all, more than 10,000 victim email accounts were targeted, according to Reuters.

The New Delhi-based firm targeted government officials in Europe, as well as gambling tycoons in the Bahamas, Reuters said.

Attila Tomaschek, digital Privacy expert at ProPrivacy, said: “The wide-ranging scope of Dark Basin’s global hacking operation highlights the troubling reality that no individual or organisation is immune to being targeted in a hack-for-hire scheme.

“Elaborate, highly-targeted, and persistent phishing campaigns like the ones launched by Dark Basin operatives are especially nefarious in that they can be dangerously difficult to detect.

“Individuals not sufficiently versed in identifying and avoiding phishing scams, and smaller organisations and advocacy groups without established cybersecurity procedures in place can, therefore, be particularly at risk.

“Cyber-risk awareness and education can go a long way in addressing and ultimately curbing the growing threats associated with hack-for-hire schemes.”

Well-known investors in the United States including private equity giant KKR and short seller Muddy Waters, were also targeted according to a trail of evidence left online.

Chris Hauk, consumer Privacy champion at Pixel Privacy said: “The Dark Basin report exposes a troubling development in the world of hacking, which is 'Hack-for-Hire'. We will continue to see black hat hackers offer their services to the highest bidder in the coming years.

“Sadly, as we have seen in recent weeks, we may see these 'hired guns; taking aim at more socially conscious groups, such as the NAACP, Black Lives Matter, and other social organisations.”

A tranche of data reviewed by Reuters included thousands of malicious messages sent by BellTroX between 2013 and 2020 that aimed to trick victims into handing over passwords.

Jamie Akhtar CEO and co-founder of CyberSmart added: "Hackers-for-hire have long existed on the dark web - from self-serve toolkits to fully managed services involving recon, exploitation and exfiltration of data. It’s the cryptocurrency-fuelled marketplace of the digital underworld and accessing those criminal skillsets has never been easier. With the rapid shift to digital and remote working leaving many businesses vulnerable, people are taking advantage of this resource. Cyber-attacks continue to escalate.

"They are predicted to cost over US$ 1 trillion (£772 billion) this year. Organisations need to ensure they have all the mechanisms in place to defend against such targeted attacks including the training of staff against social engineering, implementing 2FA and keeping systems up to date. Isolating high-value systems, networks and data stores are also important - ideally moving towards a zero trust model."

Brian Higgins, security specialist at Comparitech.com added: "Crime as a Service (CaaS) has been around for many years now. It began with the marketing and sale of ‘off the shelf’ Banking Trojans and has developed from there. Basically most Cyber attacks don’t require vast technical know-how any more as the software required to mount them is available for sale on criminal Internet forums.

"The fact that Hackers are hiring out their services is no real surprise. It’s just the logical next step for the criminal economy. Organised Cyber Crime follows the same business model as its legitimate counterparts in the digital economy. Supply and Demand - Just without the rules.

"It’s unfortunate but if you want to stage a sophisticated, targeted attack and you have the money to pay for it the criminal talent is clearly turning its hand to yet another way to make some quick cash."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews