The group, a "cybermercenary" team called "Dark Basin," has been using targeted phishing campaigns to infiltrate organizations and conduct illicit investigations at the behest of wealthy clients, according to a new report published this week by Citizen Lab, a research unit with the University of Toronto. Among the group's many targets were nonprofits, activists, politicians, journalists and government officials. The group also appears to have targeted hedge funds, short sellers and financial journalists.
The report states with "high confidence" that a little-known cyberfirm based in India is behind the global spy operations. BellTroX Digital Security, a Delhi-based company that advertises its services as involving "ethical hacking," is run by a businessman named Sumit Gupta. Gupta has denied any wrongdoing, according to Reuters, though he was indicted in 2015 for a hack-for-hire scheme similar to the ones his company is currently being accused of facilitating.
Many of the group's targets appear to have been engaged in activism against large corporations — most notably environmental activism. Targets include organizations involved in the #ExxonKnew campaign, which accuses energy giant Exxon Mobil of having spent decades covering up evidence of global warming. Exxon Mobil has not been accused of any wrongdoing in the hacking case.
Similarly, the group is said to have targeted activists involved in net neutrality advocacy efforts, as well as a wide variety of government officials. State and local governments in the U.S. were also among those targeted, said John Scott-Railton, one of Citizen Lab's lead researchers, in a phone call with Government Technology.
"We found targeting of [government] officials in multiple countries, very senior people, people in multiple parts of governments," said Scott-Railton. "The existence of this group absolutely represents a threat to the ability of governments, especially governments that are attempting to hold powerful companies and entities accountable for bad behavior," he said, adding that he felt BellTroX may be just one "tool in the quiver" of its customers.
Citizen Lab, which has been conducting their research with the help of NortonLifeLock, began their investigation close to three years ago.
"The initial seed came from a journalist who was targeted with suspicious emails," said Scott-Railton. "From that initial seed we began pulling a thread."
That thread-pulling involved investigating URL shorteners that the hackers had used, which can mask the source of fake sites used in phishing operations. Researchers were able to trace these shorteners back to source sites, which eventually revealed some 28,000 fake websites setup by "Dark Basin."
"The irony is that the very technique they used to disguise themselves from their targets made it possible to comprehensively unwrap what they were doing," he said.
This kind of cybermercenary activity is likely widespread, said Scott-Railton.
"The market is large and goes beyong BellTroX," he said. "The issue is this particular area just has not achieved the level of scrutiny that some other cybercriminal activity has. So part of what we're trying to do with this report is make people realize that this is a booming industry, and that because of its existence, secrets are less safe, whether you're in government, industry, or civil society."
Scott-Railton said he and his fellow researchers believe that companies like BellTroX may be routinely hired by private investigators and that their use may be something of an "open secret" in that industry.
"Hack-for-hire groups like BellTroX think that they can act with impunity," he said. "Everything about their security mistakes, everything about their public-facing identity, suggests that they're playing it as close to the edge as possible. To us, that reads that they feel like they are untouchable."
"So, with this report we decided to reach out and touch them," he added.
How many clients do they have?
"We think they have hundreds," said Scott-Railton. "Their client pool is as diverse as their target pool. One common threat is that we think there is often the involvement of private investigators and law firms."
The report makes note of the fact that BellTroX received numerous "endorsements" from state and local police agencies on Linkedin. Scott-Railton said this does not necessarily mean those agencies were clients.
"An endorsement as we all know, doesn't mean much on LinkedIn," he said. "That said, it's definitely interesting. It presents an interesting avenue for further investigation...There are many questions here that we just don't have the answers to yet," he said.
The threat these groups pose to democratic institutions is great, the researcher added.
"They represent a threat to every sector: business is less safe because these guys exist and government is less safe. Elected officials all over the globe were targeted by these people," he said. "It's important to keep in mind that what these guys do is hacking-as-a-service... they're allowing for the offshoring of these activities. At the same time, that offshoring, combined, means that its very hard for any individual target — even governments — to really piece together the full scope and scale of what's going on."
Scott-Railton said that his research group will likely be revealing more about their findings soon. In the meantime, Citizen Lab has shared its findings with the U.S. Department of Justice.
"We look forward to continuing to vigorously investigate this case," he said.
