A team of cybersecurity researchers today pulled out a little-known Indian IT company that is secretly functioning as a global hacker-for-hire service or hacking-as-a-service platform.
BellTroX InfoTech, based in Delhi, is said to have addressed thousands of high-profile individuals and hundreds of organizations on six continents in the past seven years.
Hack-for-hire services do not act as a government-sponsored group, but likely act as a hack-for-hire company that performs commercial cyber espionage against specific targets on behalf of private investigators and their customers.
According to the latest report published by the University of Toronto's Citizen Lab, BellTroX – known as the "dark basin" hacking group – targeted stakeholders, high-ranking politicians, government officials, CEOs, journalists, and human rights defenders.
"Over the course of our multi-year investigation, we found that Dark Basin was likely on behalf of its customers to conduct commercial espionage against opponents involved in high-profile public events, criminal cases, financial transactions, news, and advocacy," the report said.
Citizen Lab began its & # 39; Dark Basin & # 39; group investigation in 2017 after a journalist contacted phishing sites hosted by the self-hosted open source URL shortener Phurl.
The researchers found that attackers used the same URL shortener to mask at least 27,591 other phishing links that contained the targets' email addresses.
"Because the truncations created URLs with sequential shortcodes, we were able to list them and identify nearly 28,000 additional URLs that contained destination email addresses."
Originally suspected of receiving state funding, the hacking group was later identified as a hack-for-hire program due to the large number of goals.
Interestingly, Sumit Gupta, the owner of BellTroX, was indicted in California in 2015 for his role in a similar hack-for-hire program, along with two private investigators who admitted he paid him for hacking marketing manager accounts to have.
"Dark Basin has made copies of the phishing kit's source code openly available online, as well as log files" that "record every interaction with the phishing credential website, including testing activities performed by Dark Basin operators," said Citizen Lab.
"We identified several BellTroX employees whose activities overlapped those of Dark Basin because they used personal documents, including a resume, as bait content when testing their URL truncations."
"They also wrote social media posts describing and recognizing attack techniques that include screenshots of links to the Dark Basin infrastructure."
Citizen Lab notified hundreds of people and institutions that BellTroX was targeting and shared their results with the US Department of Justice (DOJ) on request for multiple targets.
"Dark Basin has a remarkable portfolio of goals, from senior government officials and candidates in several countries to financial services companies such as hedge funds and banks, and pharmaceutical companies."
"Many of Dark Basin's goals have a strong but unconfirmed feeling that targeting is associated with a dispute or conflict with a particular party they know."
Cybersecurity company NortonLifeLock also conducted a parallel investigation into Dark Basin's operations, dubbed "Mercenary.Amanda", and released a list of compromise indicators (IoC).