In this week's EXPOSED!, I look at a modern manifestation of the oldest profession, prositution with an investigation into the gunslingers of the 21st Century!

The 'hacker for hire' industry is growing and becoming more accessible to adversaries to deploy against each other in disputes, whether they be corporations or governments, or between companies or for targeting non-profits and reporters.

According to a new report by The Citizen Lab, which is a Toronto-based digital espionage research organization, a group of global hackers dubbed “Dark Basin” are targeting American activists who are campaigning against Exxon Mobil for withholding information about the global warming crisis. The report stated that:

“The extensive targeting of American non-profits exercising their first amendment rights is exceptionally troubling”.

John Scott-Railton, who is a senior researcher at The Citizen Lab, stated:

“Everyone is familiar with getting phishing and spam emails in their mailbox all the time. The difference is that in this case the people behind them are not just faceless cyber-criminals looking to steal your Gmail account and use it to spam your friends about time shares and penis pills. This is people who have been sent after you with specific objectives to get information that is going to be used to harm you. This is one of the largest spy-for-hire operations ever exposed. In our investigation, we determined that hiring hackers may be a relatively common practice for many private investigators. The sheer scale of it is remarkable to us.”

The Citizen Lab linked hacking efforts to BellTroX InfoTech Services, an Indian company. The company denied any wrongdoing, however, three former employees, outside researchers and a trail of online evidence suggested BellTroX had targeted government officials in Europe, gambling tycoons in the Bahamas and well known investors in the United States including private equity giant KKR and short seller Muddy Waters.

It was revealed that the email messages would imitate colleagues or relatives whilst others posed as Facebook login requests or graphic notifications to unsubscribe from pornography websites. According to The Citizen Lab some phishing emails were made to look like Google News alerts with stories about Exxon. Others appeared to be colleagues sharing Dropbox documents about the campaign.

The organizations which consented to be named in the Citizen Lab report included the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Center for International Environmental Law, Oil Change International, Public Citizen, the Conservation Law Foundation, the Union of Concerned Scientists and 350.org.

Kert Davies, founder of the Climate Investigations Center, said he received one phishing attempt that looked like an email from a Washington based reporter. He said:

“We don’t know who paid for it, the important thing was who was contracting with the Indian company to gather this intelligence. It’s nothing new. Any time I’ve done work in the past 25 years doing this stuff that starts to have an impact on a company, there is blowback”.

An Exxon spokesman said the company had no knowledge or involvement in the hacking activities and charged that The Citizen Lab receives financial support from “anti-fossil fuel groups”.

Outsourcing these types of services via private investigators and lawyers creates layers of obscurity and deniability, shielding the end client.

Dark Basin: Uncovering a Massive Hack-For-Hire Operation - The Citizen Lab
Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clus…

Early in October Blackberry revealed that they had uncovered a huge hacker-for-hire group that targeted governments, businesses, human rights groups and influential individuals.

he name of the group is Bahamut and the Blackberry report highlighted how it is able to set up a vast number disinformation campaigns going from a fake social media account to creating entire news websites. All of this in order to glean information from high value targets or to promote specific causes.

Eric Milam, VP Research Operations at Blackberry, said:

“The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut is staggering. Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely elaborate phishing and credential harvesting campaigns, hundreds of Windows new malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.
This an unusual group in that their operational security is well above average, making them hard to pin down. They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show an exceptional attention to detail and above all are patient – they have been known to watch their targets and wait for a year or more in some cases.”
BlackBerry discovers new hacker-for-hire mercenary group | ZDNet
CostaRicto is the fifth hacker-for-hire mercenary group discovered this year.

The hackers managed to bypass safeguards at Google and Apple as the report uncovered nine malicious iOS apps and various Android apps as well. These were targeted at the UAE as they were region-locked to that geographical area. The report also highlights the following about Bahamut:

At least one zero-day developer reflects a skill level beyond most other threat actor groups today.

Use of phishing and credential harvesting is aimed at very precise targets and concerted and robust reconnaissance operations are conducted on targets prior to attack.

Clustered targeting in South Asia and the Middle East lends credence to a 'hacker for hire' operation.

A range of tools, tactics and targets suggests the group is well-funded, well-resourced and well-versed in security research.

https://www.blackberry.com/us/en/forms/enterprise/bahamut-report

For many years, hacking groups have operated as stand-alones, carrying out financially motivated attacks, stealing data and selling for their own profit. The exposing of groups such as Bahamut shows a maturing hacker-for-hire scene with more and more groups renting out their services to multiple customers with different agendas instead of operating as independants on one-off projects.