A large and sophisticated hacker-for-hire group has been targeting business leaders, government officials, and activists in the Middle East and India according to a report from Blackberry.
The security firm’s lengthy write-up describes a “vast fake empire” of websites, inauthentic social media accounts, and malicious mobile apps designed to steal credentials and monitor the shadowy organisation’s targets.
First disclosed by investigative journalists at Bellingcat in 2017, the group known as Bahamut has now been connected to at least five years’ worth of cyber espionage activity in the Persian Gulf and South East Asia.
Eric Milam, VP of Research Operations at BlackBerry, called the scope of Bahamut’s operations “staggering”.
“Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/anti-virus evasion tactics, and more,” he said.
“This is an unusual group in that their operational security is well above average, making them hard to pin down.”
Blackberry pieced together research from other security firms such as Kaspersky, Trend Micro, and Symantec and its own recent discoveries about the hacker-for-hire group.
Previously it has been involved in campaigns to gather information on Iranian women’s rights activists, a European human rights organisation, and government officials in Turkey and Iran.
Most recently, the group has reportedly targeted people interested in a Sikh separatist movement through a campaign leveraging legitimate-looking websites filled with relevant Sikh separatist content.
The Blackberry team discovered that some of these websites were used to harvest personal information or drop Android malware.
Although the company elaborated on a sophisticated malware development and deployment regime which included well-hidden malicious apps on the Google Play and Apple App stores and zero-day Windows exploits, Milam said Bahumet operatives do not turn to malware as a first port-of-call.
“They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organisation, show an exceptional attention to detail and above all are patient,” he said.
“They have been known to watch their targets and wait for a year or more in some cases.”
Because of Bahamut’s patience, security researchers are still unsure about the specific motives behind their actions.
For example, after Blackberry determined a tech news site called Techsprouts had been taken over and operated by Bahamut, they could decipher a reason why the hacker-for-hire group would maintain the site.
It was periodically updated by a ‘team’ of content writers whose author profile photos were lifted from elsewhere on the web and, according to Blackberry, did not host anything malicious.
One suggestion was that it runs benign email campaigns and websites as a way of better understanding its targets’ click habits to deliver full malware and phishing attacks down the track.
Blackberry did not attribute the Bahamut hackers to any specific nation state, instead concluding that it is “likely a mercenary group offering hack-for-hire services to a wide range of clients”.
Earlier this year researchers discovered another such group, the Indian-based Dark Basin organisation. which was allegedly used by disgraced German fintech Wirecard to target people who were looking closely at the company’s dodgy financials.
