View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Massive Hack-for-Hire-Service Exposed

Careless hackers "made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.”

By CBR Staff Writer

Following a multi-year investigation, Citizen Lab has exposed a massive hackers-for-hire-service originating in India, whose services have been deployed against governments, environmental groups and company CEOs.

Canada-based Citizen Lab is an interdisciplinary research group focused on human rights and information and communication technologies. They were tipped off after a journalist was targeted, and used the culprit organisation’s “sloppy” tactics against them to map how it worked and who it targeted.

Over the course of three years the lab has mapped out the underlining infrastructure that is at the heart of brazen hacking attempts against more than 1000 high level targets from across the globe.

During its investigation Citizen Lab discovered extensive activity by a hacker group known as Dark Basin which was conducting commercial espionage on behalf of its clients. These hacks targeted everything from criminal cases, news stories, high profile public events and financial transactions.

What was first thought to be a government or state sponsored cyber security espionage infrastructure was later revealed to be an entrepreneurial hack-for-hire operation run by a New Delhi-based firm BellTroX InfoTech Services.

Dark basin

Who Wasn’t a Target Seems to be the Question

The service appears to have been deployed against American non-profits and journalists. Incredibly multiple governments were targeted with phishing campaigns targeting MPs, senior elected officials and the judiciary.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The group seems to have been hired to conduct extensive attacks against American advocacy organisations which are focused on climate and net neutrality campaigns. One environmental campaign targeted was #ExxonKnew, this campaign was connected to the exposure of Exxon’s company research into climate change long before it was a global concern.

Citizen Lab has published a list of organisations that were targeted and have agreed to go public. These include the Rockefeller Family Fund, Climate Investigations Center, Greenpeace Center for International Environmental Law, Oil Change International, Public Citizen Conservation Law Foundation and the Union of Concerned Scientists.

Leaving a Bread Loaf Trail

The investigation started when a journalist contacted Citizen Lab after they were subject to a phishing campaign. The lab linked the campaign to a custom URL shortener which was used to hide the long and odd looking phishing links.

Citizen Lab researcher John Scott-Railton, and several colleagues note in their compiled report that: “Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets. We used open source intelligence techniques to identify hundreds of targeted individuals and organizations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting.”

A number of clues pointed to India as several of Dark Basins’s URL shortening services contained names associated with India like Holi, Rongali, and Pochanchi, two of which are the names of Indian festivals

The Indian origin theory was further strengthened by the fact that many of the timestamps within the phishing emails correlated with the working hours in India’s time zones.

Working with US cyber firm NortonLifeLock, Citizen Lab made numerous ‘technical links’ between the phishing campaigns and individuals connected to New Delhi-based firm BellTroX InfoTech Services.

The hackers appear to have been incredibly sloppy as the researchers were able to identify several BellTroX employees as their online conduct overlapped with the hacking of activity of Dark Basin.

The report states that incredibly the hackers used: “Personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.”

As of the June 7 2020 BellTroX’s website has been removed and a number of material linking the firm to hacking operations have been taken down.

See Also: Nefilim Hackers Publish Oil Firm Data Online and Continue Disruptive Campaign

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.