[BreachExchange] Dark Basin: Researchers Uncover Major Hack-for-Hire Group

Destry Winant destry at riskbasedsecurity.com
Wed Jun 10 10:20:40 EDT 2020


Security researchers have uncovered a major new hacking-for-hire
operation against journalists, rights groups, government officials,
financial institutions and others, seemingly orchestrated by a shady
Indian tech firm.

Thousands of individuals and hundreds of organizations globally were
targeted with cyber-espionage tactics in a multi-year campaign by the
Dark Basin group, according to Citizen Lab.

Linked to Indian firm BellTroX InfoTech Services, the group apparently
worked “on behalf of their clients against opponents involved in high
profile public events, criminal cases, financial transactions, news
stories and advocacy.”

Although the group targeted financial services and pharmaceuticals
players for its clients — including one campaign against those
investigating market manipulation by German payment processor Wirecard
AG — it frequently focused efforts on advocacy and civil society

These include Greenpeace, the Rockefeller Family Fund, Public Citizen
and the Union of Concerned Scientists. Dark Basin phished for info
from groups working on the #ExxonKnew campaign, which alleged
ExxonMobil hid info about climate change for decades, and those
involved in trying to preserve net neutrality in the US, the report

Its links to BellTrox — whose director, Sumit Gupta, was indicted in
2015 for his role in a similar hack-for-hire scheme — are numerous.

Phishing activity aligned with the Indian time zone, and several of
the URL shortening services used by the group — Holi, Rongali, and
Pochanchi — have associations with the sub-continent.

Even more damning is the fact that some individuals claiming to work
for BellTrox list activities on LinkedIn such as email penetration,
exploitation and corporate espionage.

“We were able to identify several BellTroX employees whose activities
overlapped with Dark Basin because they used personal documents,
including a CV, as bait content when testing their URL shorteners,”
the report continued.

“They also made social media posts describing and taking credit for
attack techniques containing screenshots of links to Dark Basin
infrastructure. BellTroX and its employees appear to use euphemisms
for promoting their services online, including ‘Ethical Hacking’ and
‘Certified Ethical Hacker.’ BellTroX’s slogan is: ‘you desire, we

The investigation started when Citizen Lab was contacted by a
journalist who had been targeted with phishing attempts. After tracing
the URL shortener used, the investigators were able to identify almost
28,000 additional URLs containing e-mail addresses of targets.

These fairly unsophisticated phishing efforts are said to have had at
least some success.

Citizen Lab warned that its findings indicate that there’s likely a
large and growing market for hacking-for-hire services like this, with
powerful organizations outsourcing cyber-espionage to third parties to
maintain plausible deniability of their involvement, while posing a
major threat to open democratic societies.

More information about the BreachExchange mailing list