Citizen Lab has uncovered a large hack for hire operation sprawling 6 continents and targeting hundreds of institutions and thousands of individuals including journalists, government officials, CEOs, lawyers and human rights activists. Among targeted organisations there were US advocacy organisations working on climate change and net neutrality.
The group behind these operations, Dark Basin is allegedly linked to a Delhi-based obscure IT firm, BellTroX InfoTech Services.
According to a Reuters report, Sumit Gupta, founder of BellTroX InfoTech has denied any wrongdoing.
Mint has also reached out to BellTroX and will update the story when we have their comments.
Citizen Lab has alerted hundreds of individuals and institutions who were targeted by the group and have shared materials confirming their targeting with the US Department of Justice (DOJ).
They have also shared technical information gathered during their investigation with researchers at cybersecurity company NortonLifeLock, who are conducting a parallel investigation into Dark Basin’s operations.
Citizen Lab’s investigation into Dark Basin started in 2017 when they were contacted by a journalist who was the target of a phishing attack. They linked the phishing attack to a custom URL shortener used to mask the phishing links.
The shortener was part of a larger network of custom URL shorteners and was used by a single group, named Dark Basin.
The shorteners created URLs with sequential shortcodes, which is what allowed the researchers to enumerate them and identify almost 28,000 more such URLs containing e-mail addresses of targets.
Using open source intelligence techniques, Citizen Lab identified hundreds of targeted individuals and organizations.
Further investigation revealed that the timestamps found in hundreds of phishing emails were consistent with working hours in India’s UTC+5:30 time zone.
Electronic Frontier Foundation (EFF) in its investigation into a Dark Basin phishing attack against net neutrality advocacy groups had also found timestamps corresponding to Indian timezone.
Further, several URL shortening services used by Dark Basin had India festival names such as Holi and Rongali. Also, some of the log files show that Dark Basin conducted some testing using an IP address in India.
During the investigation, Citizen Lab allegedly found activities of several BellTroX employees overlapping with Dark Basin. Some of the content used as bait to test URL shorteners included personal documents such as CVs .
Citizen Lab also alleges that some of the employees took credit for the attack techniques on social media posts with screenshots of links to Dark Basin.
Researchers at Citizen Lab believe that there is a large and likely growing hack-for-hire industry, adding, “Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations.”
Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It had helped Facebook in the investigation of Pegasus spyware that targeted 1400 individuals by exploiting a vulnerability in Whatsapp.