A group of contracted hackers known as “Dark Basin” which is also known as BellTroX (BellTroX InfoTech Services) has attacked thousands of people and hundreds of institutions around the world that include non-profit organizations, journalists, officials, lawyers, investment fund companies, senior politicians, government prosecutors, CEOs and many more.
Researchers have discovered nearly 28,000 web pages created by the hackers to carry out specially crafted phishing attacks.
The services of BellTroX or the Dark Basin hacker group were used to attack senior politicians, government officials, company CEOs, journalists, and human rights defenders.
Here, the hacker group, Dark Basin, does not work as state-sponsored groups, as they work as an outsourcing company engaged in commercial cyber spying against the specific goals in the interests of private detectives and their clients.
In 2017 the security firm, Citizen Lab, launched an investigation to examine the Dark Basin group after a journalist contacted them. The journalist came across the phishing pages that were served through the open-source Phurl URL shortener.
Later the security researchers discovered that the attackers used the same method to mask at least 27,591 different phishing links containing email addresses of the targets.
Initially, the Dark Basin group was suspected of having ties to the state but was later identified as a hack-for-hire that is based on a variety of targets.
But, still, it is curious, as, in 2015, Sumit Gupta (owner of BellTroX) was charged in California for playing his role in a similar hack-for-hire scheme. At that time, along with Sumit, two other private detectives were also charged who later confessed to paying Sumit Gupta to hack the accounts of top-level marketing directors.
The “Dark Basin” group was controlled by a company called Belltrox Infotech Services located in New Delhi (India). Here, the hacks were contracted through a complex structure of payments and sharing of information in layers by both the operators of the Dark Basin group and contractors.
All these security procedures simply allow the operators and contractors to stay “clean & clear” in the eyes of government security agencies.
The security experts were also able to identify several BellTroX employees whose activities partially coincided with Dark Basin, as they used their personal documents, including a resume, as bait when testing URL shorteners.
Moreover, Indian festival names like Holi, Rongali, and Pochanchi were discovered by the security experts that are used by the Dark Basin for their several URL shortening services, as you can see on the images mentioned below.
Even some employees have also made posts on social networks that defined the attack methods and took charge of them. Even the messages included the screenshots of the links to the grouping infrastructure as well.
The security researchers have also discovered that the employees who are working for the BellTroX have mentioned their hacking capabilities on the professionals’ social network, LinkedIn, and here they are mentioned below:-
According to the security experts at Citizen Lab, from the people working in different fields of corporate intelligence and private investigation, the Dark Basin group or BellTroX and their operators have received many endorsements.
Here are the people from different fields of corporate intelligence and private investigation has offered endorsements to BellTroX:-
The Dark Basin group always targeted the American non-profit and environmental organizations that are working on a campaign known as #ExxonKnew and denounced the company ExxonMobil, the US oil company, for allegedly hiding information about the climate change for the decades.
Here are the list of targeted organizations:-
From the above image, you can see how at the advocacy organizations, specially crafted phishing messages were sent from the accounts simulating as close colleagues of the targeted ones, and all these messages are classified as confidential information concerning ExxonMobil.
Moreover, to attract the targets and deceive them the Dark Basin hacker group also used fake Google News updates concerning ExxonMobil as bait, and here’s the example below:-
According to the data collected report by the security experts at Citizen Lab, Dark Basin has targeted and compromised multiple industries, and here they are listed below:-
Tactics, Techniques, and Procedures used by Dark Basin group
To make the attacks sophisticated, the operators of the Dark Basin group used several types of techniques to adapt and refine their phishing attempts to deceive the email providers. Here the list of tactics, techniques, and procedures used by Dark Basin group:-
Researchers already notified hundreds of individuals and organizations that became the target of Dark Basin or BellTroX and shared their findings with the US Department of Justice (DOJ) at the request of several victims.
So, what do you think about this? Share all your views and thoughts in the comment section below.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker forums…
A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could allow…
Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit PDF…
Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could…
A Romanian man has been sentenced to 20 years in prison for his involvement in…
The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical vulnerability…