Thursday, July 18, 2024

Hack-For-Hire – Hacker Group Team up with Indian IT Company to Hack High Profiles Individuals Around the Globe

A group of contracted hackers known as “Dark Basin” which is also known as BellTroX (BellTroX InfoTech Services) has attacked thousands of people and hundreds of institutions around the world that include non-profit organizations, journalists, officials, lawyers, investment fund companies, senior politicians, government prosecutors, CEOs and many more.

Researchers have discovered nearly 28,000 web pages created by the hackers to carry out specially crafted phishing attacks.

The services of BellTroX or the Dark Basin hacker group were used to attack senior politicians, government officials, company CEOs, journalists, and human rights defenders.

Here, the hacker group, Dark Basin, does not work as state-sponsored groups, as they work as an outsourcing company engaged in commercial cyber spying against the specific goals in the interests of private detectives and their clients.

Thousands of Targets Emerge

In 2017 the security firm, Citizen Lab, launched an investigation to examine the Dark Basin group after a journalist contacted them. The journalist came across the phishing pages that were served through the open-source Phurl URL shortener. 

Later the security researchers discovered that the attackers used the same method to mask at least 27,591 different phishing links containing email addresses of the targets.

Initially, the Dark Basin group was suspected of having ties to the state but was later identified as a hack-for-hire that is based on a variety of targets. 

But, still, it is curious, as, in 2015, Sumit Gupta (owner of BellTroX) was charged in California for playing his role in a similar hack-for-hire scheme. At that time, along with Sumit, two other private detectives were also charged who later confessed to paying Sumit Gupta to hack the accounts of top-level marketing directors.

Links to India

The “Dark Basin” group was controlled by a company called Belltrox Infotech Services located in New Delhi (India). Here, the hacks were contracted through a complex structure of payments and sharing of information in layers by both the operators of the Dark Basin group and contractors. 

All these security procedures simply allow the operators and contractors to stay “clean & clear” in the eyes of government security agencies.

The security experts were also able to identify several BellTroX employees whose activities partially coincided with Dark Basin, as they used their personal documents, including a resume, as bait when testing URL shorteners.

Moreover, Indian festival names like Holi, Rongali, and Pochanchi were discovered by the security experts that are used by the Dark Basin for their several URL shortening services, as you can see on the images mentioned below.

Even some employees have also made posts on social networks that defined the attack methods and took charge of them. Even the messages included the screenshots of the links to the grouping infrastructure as well.

Hacking capabilities of BellTroX employees

The security researchers have also discovered that the employees who are working for the BellTroX have mentioned their hacking capabilities on the professionals’ social network, LinkedIn, and here they are mentioned below:-

  • Email Penetration
  • Exploitation
  • Corporate Espionage
  • Phone Pinger
  • Conducting a Cyber Intelligence Operation

According to the security experts at Citizen Lab, from the people working in different fields of corporate intelligence and private investigation, the Dark Basin group or BellTroX and their operators have received many endorsements.

Here are the people from different fields of corporate intelligence and private investigation has offered endorsements to BellTroX:-

  • Canadian government officers.
  • Investigators at the US Federal Trade Commission.
  • Contract investigators for US Customs and Border Patrol.
  • Government Officers from local and state law enforcement.
  • Former officers of the FBI, police, military, and other branches of government as private investigators.

American Environmental Organizations were targeted

The Dark Basin group always targeted the American non-profit and environmental organizations that are working on a campaign known as #ExxonKnew and denounced the company ExxonMobil, the US oil company, for allegedly hiding information about the climate change for the decades.

Here are the list of targeted organizations:-

  • Rockefeller Family Fund
  • Climate Investigations Center
  • Greenpeace
  • Center for International Environmental Law
  • Oil Change International
  • Public Citizen
  • Conservation Law Foundation
  • Union of Concerned Scientists
  • M+R Strategic Services

From the above image, you can see how at the advocacy organizations, specially crafted phishing messages were sent from the accounts simulating as close colleagues of the targeted ones, and all these messages are classified as confidential information concerning ExxonMobil.

Moreover, to attract the targets and deceive them the Dark Basin hacker group also used fake Google News updates concerning ExxonMobil as bait, and here’s the example below:-

Industries that are targeted

According to the data collected report by the security experts at Citizen Lab, Dark Basin has targeted and compromised multiple industries, and here they are listed below:-

  • Hedge Funds
  • Financial Journalists
  • Short Sellers
  • Global Banking and Financial Services
  • Legal Services
  • The Energy Sector
  • Wealthy individuals from Eastern and Central Europe, Russia
  • Government
  • Personal Disputes

Tactics, Techniques, and Procedures used by Dark Basin group

To make the attacks sophisticated, the operators of the Dark Basin group used several types of techniques to adapt and refine their phishing attempts to deceive the email providers. Here the list of tactics, techniques, and procedures used by Dark Basin group:-

  • Phishing Emails
  • URL Shorteners
  • Enumeration
  • Credential Phishing Websites
  • Phishing Kit
  • Testing the Phish
  • Success Rates

Researchers already notified hundreds of individuals and organizations that became the target of Dark Basin or BellTroX and shared their findings with the US Department of Justice (DOJ) at the request of several victims.

So, what do you think about this? Share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...

Resonance Security Launches Harmony to Monitor and Detect Threats to Web2 and Web3 Apps

Quick take:Harmony is the fourth cybersecurity application Resonance developed to address the disconnect in...

Beware! of New Phishing Tactics Mimic as HR Attacking Employees

Phishing attacks are becoming increasingly sophisticated, and the latest strategy targeting employees highlights this...

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022,...

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles