A group of contracted hackers known as “Dark Basin” which is also known as BellTroX (BellTroX InfoTech Services) has attacked thousands of people and hundreds of institutions around the world that include non-profit organizations, journalists, officials, lawyers, investment fund companies, senior politicians, government prosecutors, CEOs and many more.
Researchers have discovered nearly 28,000 web pages created by the hackers to carry out specially crafted phishing attacks.
The services of BellTroX or the Dark Basin hacker group were used to attack senior politicians, government officials, company CEOs, journalists, and human rights defenders.
Here, the hacker group, Dark Basin, does not work as state-sponsored groups, as they work as an outsourcing company engaged in commercial cyber spying against the specific goals in the interests of private detectives and their clients.
Thousands of Targets Emerge
In 2017 the security firm, Citizen Lab, launched an investigation to examine the Dark Basin group after a journalist contacted them. The journalist came across the phishing pages that were served through the open-source Phurl URL shortener.
Later the security researchers discovered that the attackers used the same method to mask at least 27,591 different phishing links containing email addresses of the targets.
Initially, the Dark Basin group was suspected of having ties to the state but was later identified as a hack-for-hire that is based on a variety of targets.
But, still, it is curious, as, in 2015, Sumit Gupta (owner of BellTroX) was charged in California for playing his role in a similar hack-for-hire scheme. At that time, along with Sumit, two other private detectives were also charged who later confessed to paying Sumit Gupta to hack the accounts of top-level marketing directors.
Links to India
The “Dark Basin” group was controlled by a company called Belltrox Infotech Services located in New Delhi (India). Here, the hacks were contracted through a complex structure of payments and sharing of information in layers by both the operators of the Dark Basin group and contractors.
All these security procedures simply allow the operators and contractors to stay “clean & clear” in the eyes of government security agencies.
The security experts were also able to identify several BellTroX employees whose activities partially coincided with Dark Basin, as they used their personal documents, including a resume, as bait when testing URL shorteners.
Moreover, Indian festival names like Holi, Rongali, and Pochanchi were discovered by the security experts that are used by the Dark Basin for their several URL shortening services, as you can see on the images mentioned below.
Even some employees have also made posts on social networks that defined the attack methods and took charge of them. Even the messages included the screenshots of the links to the grouping infrastructure as well.
Hacking capabilities of BellTroX employees
The security researchers have also discovered that the employees who are working for the BellTroX have mentioned their hacking capabilities on the professionals’ social network, LinkedIn, and here they are mentioned below:-
- Email Penetration
- Corporate Espionage
- Phone Pinger
- Conducting a Cyber Intelligence Operation
According to the security experts at Citizen Lab, from the people working in different fields of corporate intelligence and private investigation, the Dark Basin group or BellTroX and their operators have received many endorsements.
Here are the people from different fields of corporate intelligence and private investigation has offered endorsements to BellTroX:-
- Canadian government officers.
- Investigators at the US Federal Trade Commission.
- Contract investigators for US Customs and Border Patrol.
- Government Officers from local and state law enforcement.
- Former officers of the FBI, police, military, and other branches of government as private investigators.
American Environmental Organizations were targeted
The Dark Basin group always targeted the American non-profit and environmental organizations that are working on a campaign known as #ExxonKnew and denounced the company ExxonMobil, the US oil company, for allegedly hiding information about the climate change for the decades.
Here are the list of targeted organizations:-
- Rockefeller Family Fund
- Climate Investigations Center
- Center for International Environmental Law
- Oil Change International
- Public Citizen
- Conservation Law Foundation
- Union of Concerned Scientists
- M+R Strategic Services
From the above image, you can see how at the advocacy organizations, specially crafted phishing messages were sent from the accounts simulating as close colleagues of the targeted ones, and all these messages are classified as confidential information concerning ExxonMobil.
Moreover, to attract the targets and deceive them the Dark Basin hacker group also used fake Google News updates concerning ExxonMobil as bait, and here’s the example below:-
Industries that are targeted
According to the data collected report by the security experts at Citizen Lab, Dark Basin has targeted and compromised multiple industries, and here they are listed below:-
- Hedge Funds
- Financial Journalists
- Short Sellers
- Global Banking and Financial Services
- Legal Services
- The Energy Sector
- Wealthy individuals from Eastern and Central Europe, Russia
- Personal Disputes
Tactics, Techniques, and Procedures used by Dark Basin group
To make the attacks sophisticated, the operators of the Dark Basin group used several types of techniques to adapt and refine their phishing attempts to deceive the email providers. Here the list of tactics, techniques, and procedures used by Dark Basin group:-
- Phishing Emails
- URL Shorteners
- Credential Phishing Websites
- Phishing Kit
- Testing the Phish
- Success Rates
Researchers already notified hundreds of individuals and organizations that became the target of Dark Basin or BellTroX and shared their findings with the US Department of Justice (DOJ) at the request of several victims.
So, what do you think about this? Share all your views and thoughts in the comment section below.