Security researchers have published an extensive report detailing the activities of a hacker-for hire group that has targeted at least 3,500 individuals and organizations, including human rights activists, journalists, politicians, senior telco engineers, and cryptocurrency users.
The Russian-speaking threat actor, which calls itself "Rockethack," and is tracked by Trend Micro as "Void Balaur", has been active since at least 2015, primarily focusing on cyberespionage and data theft, selling the stolen information to anyone willing to pay. The group has been advertising its services on Russian-speaking forums since at least 2017 offering a slew of services fr om hacking into corporate email inboxes or social media accounts, to selling victims' sensitive data and financial information, including telco data, passenger flight records, banking data, and passport details.
Void Balaur's charges for such activities range from around $20 for a stolen credit history or traffic camera shots at $69 to over $800 for phone call records with cell tower locations.
In 2019, Void Balaur also began selling the sensitive private data of Russian individuals, including passport and flight information, criminal records, credit history, account balance and statements, and even printouts of SMS messages.
"The telecom data that Void Balaur is peddling includes phone call records with cell tower locations that could reveal who a person has been calling, the duration of the calls, and the approximate location wh ere the calls were made," the report reads. "Knowledge of these details could serve several purposes, including committing serious crimes."
It is not clear, how the group has managed to obtain such extensive trove of information, especially with regards to telecom data, some possible explanations include telecom engineers being hacked, or even the telecom system itself being compromised, the researchers said.
The threat group also appears to target organizations that are likely to have access to highly sensitive data on people, including mobile companies and cellular equipment vendors, radio and satellite communication companies and ATM machine vendors.
Trend Micro linked Void Balaur to attacks against human rights activists and journalists in Uzbekistan, as well as Belarusian presidential candidates in 2020 and several political leaders in an unnamed Eastern European country. The group also targeted executives and directors at a large Russian company between 2020 and 2021.
The researchers said that there is some overlap between Void's targets and those of the Russia-backed APT28 (aka Fancy Bear or Pawn Storm), but not enough to establish a clear link.
"It’s possible that these were not one-off attacks, but a part of a larger campaign with multiple fronts. In addition, while seemingly financially motivated, many of the threat actor’s campaigns could be driven by the desire to cause disruption and strife among their victims," Trend Micro said.
The threat actor uses highly specialized malware, such as Z*Stealer, capable of stealing credentials from instant messaging apps, email clients, browsers, and Remote Desktop Protocol (RDP) programs. The malware is also able to steal cryptocurrency wallets.
Another malware that Void Balaur uses in its campaigns is DroidWatcher, an infostealer with spying and remote tracking capabilities.
More details on Void Balaur’s campaigns, as well as Indicators of Compromise (IoCs) associated with the group’s activities, are provided in Trend Micro’s report.
Last year, Canada's Citizen Lab laboratory exposed a hack-for-hire espionage operation dubbed Dark Basin that has targeted thousands of individuals and hundreds of institutions all over the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies.