A hackers-for-hire group dubbed “Dark Basin” has targeted thousands of individuals and hundreds of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies, according to the internet watchdog Citizen Lab.
Researchers discovered almost 28,000 web pages created by hackers for personalised “spear phishing” attacks designed to steal passwords, according to a report published on Tuesday by Citizen Lab, part of the University of Toronto’s Munk School.
“We see them again and again in areas where business and politics is contentious,” said John Scott-Railton, the lead author of the report, who said the hackers were “brazen, they seem to think they are untouchable”.
The report said a large cluster of targeted individuals and organisations were involved in environmental issues and had campaigned against ExxonMobil, the US oil producer. They included the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Conservation Law Foundation and the Union of Concerned Scientists. Exxon declined to comment before “reviewing the full report”.
“The growth of a hacking-for-hire industry may be fuelled by the increasing normalisation of other forms of commercialised cyber offensive activity, from digital surveillance to ‘hacking back’, whether marketed to private individuals, governments or the private sector,” the report said.
It added that relevant material had been shared with the US Department of Justice. The cyber security group NortonLifeLock also carried out a parallel investigation into the hacking.
Citizen Lab said: “Dark Basin’s targeting was widespread and implicated multiple industries.” It added that a prominent example was the targeting of “hedge funds, short sellers, journalists and investigators working on topics related to accounting irregularities at German payment processor Wirecard”.
Wirecard is one of Germany’s most prominent technology companies, which has faced critical scrutiny of its accounting for years. Its management board is under investigation on suspicion of market manipulation in relation to a recent special audit that failed to resolve questions of accounting fraud. The company and its executives have denied any wrongdoing.
Citizen Lab said that in the case of Wirecard critics, “some individuals were targeted almost daily for months, and continued to receive messages for years”. The report also said private emails from some of those targeted were made public through online posts including one in which correspondence between a Financial Times journalist and a researcher for a corporate intelligence firm was published in 2016.
The report said the hackers-for-hire group used to conduct the attacks was linked “with high confidence to an Indian company, BellTroX InfoTech”, a technology consultancy which advertised services such as “cyber intelligence” with the slogan “you desire, we do!”
The group’s website was taken down in recent days, and its phone number is disconnected. BellTroX did not respond to a request for comment by email.
The Citizen Lab report said previous hacking cases indicated that such hacking was arranged “through a murky set of contractual, payment, and information-sharing layers that may include law firms and private investigators, and which allow clients a degree of deniability and distance”.
The Citizen Lab investigation was launched after it was contacted in 2017 by a Reuters journalist who had investigated Wirecard and was targeted by a phishing campaign, according to people familiar with the situation. A number of FT journalists were also targeted with emails purporting to be from friends and colleagues, in some cases using photographs lifted from social media accounts.
The FT has previously reported that a former Libyan intelligence chief last year funded a surveillance operation in London targeting a string of investors thought to be critical of Wirecard. The payments group has previously said it commissioned an external forensics consultancy in 2016 to identify the background of short-sellers who had published a critical dossier about Wirecard, but has denied commissioning any surveillance to investigate or shadow individuals.
“Wirecard AG has at no time been in direct or indirect contact with a hacker group from India,” the payments group told the FT on Tuesday.
Phishing attacks by Dark Basin took the form of emails made to look like those from popular services such as YouTube, Dropbox and LinkedIn. They contained shortened website addresses, known as URLs, which took targets to pages designed to look like login forms.
Citizen Lab said the “sophistication of the bait content, specificity to the target, message volume, and persistence across time varied widely”.
The report said “we were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.”
In 2015 the US DoJ indicted several private investigators and an Indian national in relation to another hack-for-hire scheme. Four of those individuals subsequently pleaded guilty to hacking charges in an agreement with prosecutors, with one receiving a custodial sentence. The Indian national, who prosecutors said was believed to be in the New Delhi area and remained at large, is a director of BellTroX.
“The actions described in that indictment, including the extensive relationships with private investigators, are similar to those we ascribe to BellTroX,” the report said.
According to an archive of its website, BellTroX also provided medical transcription services to healthcare providers in the US, UK, Australia and Canada. Its LinkedIn page said “our services are being used by a number of NHS Trusts”.
Additional reporting by Derek Brower in London