Following a multi-year investigation, Citizen Lab has exposed a massive hackers-for-hire-service originating in India, whose services have been deployed against governments, environmental groups and company CEOs.
Canada-based Citizen Lab is an interdisciplinary research group focused on human rights and information and communication technologies. They were tipped off after a journalist was targeted, and used the culprit organisation’s “sloppy” tactics against them to map how it worked and who it targeted.
2. In 2017 a journalist sent @CyberClues & me a suspicious email. We turned the sloppy TTPs against the attackers, enumerating their shorteners and pivoting on domain registrations to track who they targeted. Turned out to be beyond massive. We named them DARK BASIN… pic.twitter.com/txpSQcyJr5
— John Scott-Railton (@jsrailton) June 9, 2020
Over the course of three years the lab has mapped out the underlining infrastructure that is at the heart of brazen hacking attempts against more than 1000 high level targets from across the globe.
During its investigation Citizen Lab discovered extensive activity by a hacker group known as Dark Basin which was conducting commercial espionage on behalf of its clients. These hacks targeted everything from criminal cases, news stories, high profile public events and financial transactions.
What was first thought to be a government or state sponsored cyber security espionage infrastructure was later revealed to be an entrepreneurial hack-for-hire operation run by a New Delhi-based firm BellTroX InfoTech Services.
Who Wasn’t a Target Seems to be the Question
The service appears to have been deployed against American non-profits and journalists. Incredibly multiple governments were targeted with phishing campaigns targeting MPs, senior elected officials and the judiciary.
The group seems to have been hired to conduct extensive attacks against American advocacy organisations which are focused on climate and net neutrality campaigns. One environmental campaign targeted was #ExxonKnew, this campaign was connected to the exposure of Exxon’s company research into climate change long before it was a global concern.
Citizen Lab has published a list of organisations that were targeted and have agreed to go public. These include the Rockefeller Family Fund, Climate Investigations Center, Greenpeace Center for International Environmental Law, Oil Change International, Public Citizen Conservation Law Foundation and the Union of Concerned Scientists.
Leaving a Bread Loaf Trail
The investigation started when a journalist contacted Citizen Lab after they were subject to a phishing campaign. The lab linked the campaign to a custom URL shortener which was used to hide the long and odd looking phishing links.
Citizen Lab researcher John Scott-Railton, and several colleagues note in their compiled report that: “Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets. We used open source intelligence techniques to identify hundreds of targeted individuals and organizations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting.”
A number of clues pointed to India as several of Dark Basins’s URL shortening services contained names associated with India like Holi, Rongali, and Pochanchi, two of which are the names of Indian festivals
The Indian origin theory was further strengthened by the fact that many of the timestamps within the phishing emails correlated with the working hours in India’s time zones.
Working with US cyber firm NortonLifeLock, Citizen Lab made numerous ‘technical links’ between the phishing campaigns and individuals connected to New Delhi-based firm BellTroX InfoTech Services.
The hackers appear to have been incredibly sloppy as the researchers were able to identify several BellTroX employees as their online conduct overlapped with the hacking of activity of Dark Basin.
The report states that incredibly the hackers used: “Personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.”
As of the June 7 2020 BellTroX’s website has been removed and a number of material linking the firm to hacking operations have been taken down.