Hack-for-Hire Group Wages Espionage, Fake News CampaignsBlackBerry: 'Bahamut' Paid to Target Political Victims in Asia, Middle East
A hack-for-hire group dubbed "Bahamut" is renting out its espionage and disinformation services to the highest bidder to target nonprofit organizations and diplomats across the Middle East and southern Asia, according to security researchers at BlackBerry.
Bahamut is targeting victims to further certain political causes, create service disruption or gain personal information and other data, the researchers say.
The BlackBerry researchers identified several fake news websites the Bahamut group created to push disinformation content. They also discovered a phishing infrastructure and malicious apps installed in the official Google Play and Apple App stores used to target specific victims and organizations.
Because the group's targets lack a unifying pattern, the hackers likely sell their services to the highest bidder, Blackberry reports.
"The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut is staggering," notes Eric Milam, vice president of research operations at BlackBerry. "Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind several extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics and more."
Bahamut, which has been active for several years, has been known to security researchers by various names, including EHDevel, WindShift, Urpage and The White Company, according to the report.
The group's capabilities, however, were not fully understood because it uses a wide range of techniques to obscure its tactics and operations. These include using malware as a last resort as well as precision targeting - often attacking specific victims after years of research.
The BlackBerry analysis of the group's toolkit also revealed the use of publicly available tools and adoption of attack strategies from other threat groups. These include exploiting zero-day vulnerabilities and using anti-forensic and antivirus evasion tactics.
BlackBerry researchers analyzed over 20 research reports on Bahamut by other security companies in compiling its own report.
"This is an unusual group in that their operational security is well above average, making them hard to pin down," Milam notes. "They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show an exceptional attention to detail and, above all, are patient. They have been known to watch their targets and wait for a year or more in some cases."
BlackBerry found that Bahamut hackers developed disinformation campaigns by creating fake news websites that contain well-crafted applications and made-up personas.
In one case, the group took over the domain of an unidentified information security news portal and began pushing out content on geopolitics, research and industry news about other hack-for-hire groups, the report notes. The hacking group used the names and photos of legitimate news anchors in the U.S., the report adds.
"In some cases, the news outlets Bahamut created were also accompanied by social media accounts and other websites to present a veneer of legitimacy," BlackBerry notes.
Another example is a site called Techsprouts, a legitimate site run by journalists in India that went out of business. At some point, the Bahamut hackers took over the domain and created fake personas using images of real U.S. TV news anchors.
While the BlackBerry report notes that the hacking group will sometimes use these fake sites as part of its phishing campaigns, it's possible that these websites serve other purposes as well.
Other researchers concluded that the group used the sites “as a way to discern the click habits of their targets," BlackBerry notes. "BlackBerry is unable to verify this theory, though it certainly seems well within the realm of possibility."
The attackers also use malicious mobile apps to target their victims. BlackBerry's research uncovered seven malicious iOS apps and two Android apps downloadable from the official app stores.
Because these applications were supported by well-designed websites and included privacy policies and written terms of service documents, the hacking group was able to bypass safeguards put in place by Google and Apple, the report notes.
A Google spokesperson told Reuters that all the malicious apps mentioned in the BlackBerry report have been removed from its app store.
A spokesperson for Apple confirmed that two of the seven apps were no longer available in its app store. But because the BlackBerry report did not provide enough information on the remaining apps, Apple is still determining if they are malicious, according to Reuters.
Surge in Demand
In recent months, researchers have been uncovering more activities of hack-for-hire groups.
In August, security firm Bitdefender discovered the activities of a hacking group called "StrongPity," which was hired to conduct a corporate espionage campaign against an international architectural and video production company (see: Luxury Real Estate Rivalry Involved Hired Hackers).
At about the same time, Kaspersky found a hack-for-hire group dubbed "DeathStalker" was targeting small law firms and financial institutions for cyberespionage (see: Hacking-for-Hire Group Expands Cyber Espionage Campaign).
In May, Google Threat Analysis revealed a hack-for-hire group in India spoofed World Health Organization emails to steal credentials from employees at financial services, consulting and healthcare firms around the world (see: 'Hack for Hire' Groups Spoof WHO Emails to Steal Data).