Canada's Citizen Lab laboratory has shed light on a hack-for-hire espionage operation referred to as Dark Basin that has targeted thousands of individuals and hundreds of institutions all over the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies.
“Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy,” the CitizenLab researchers said in an extensive report. “In addition to the targeting of civil society, we found that journalists from multiple major US media outlets were also targeted.”
As part of the investigation that started in 2017, CitizenLab discovered almost 28,000 shortened URLs containing e-mail addresses of targets. While the researchers initially suspected the campaign to be state-sponsored, later they came to a conclusion that Dark Basin is a hack-for-hire operation, given the variety of targets.
The Dark Basin operation has been linked to India-based company BellTroX InfoTech Services, a technology consultancy that advertised services such as “cyber intelligence” with the slogan “you desire, we do!” BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme, according to Citizen Lab.
The assumption about the Dark Basin operation having ties with India was made based on the fact that hundreds of phishing emails associated with Dark Basin show timestamps consistent with working hours in India’s time zone, and the same timestamps were observed in phishing kit source code the group left openly online. Additionally, several of Dark Basin’s URL shortening services had names associated with India: Holi, Rongali, and Pochanchi.
“We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure,” the researchers said.
According to Citizen Lab, Dark Basin was regularly adapting tactics, techniques, and procedures (TTPs): they sent phishing emails from a range of accounts, including Gmail accounts as well as self-hosted accounts, and adapted the bait content, message volume, and persistence over time, supposedly based on received payment.
The phishing emails contained malicious links that led to credential phishing sites disguised as popular online web services such as Google Mail, Yahoo Mail, Facebook, and others.
The researchers said that in several cases Dark Basin left the source code of their phishing kit openly accessible. This source code included references to log files as well as scripts that processed details including usernames and passwords entered by victims. The collected data was then sent to a Gmail address controlled by Dark Basin.
“Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry,” the researchers said.
“The growth of a hack-for-hire industry may be fueled by the increasing normalization of other forms of commercialized cyber offensive activity, from digital surveillance to “hacking back,” whether marketed to private individuals, governments or the private sector. Further, the growth of private intelligence firms, and the ubiquity of technology, may also be fueling an increasing demand for the types of services offered by BellTroX. At the same time, the growth of the private investigations industry may be contributing to making such cyber services more widely available and perceived as acceptable.”