Phishing Attacks Traced to Indian Commercial Espionage FirmResearchers at Citizen Lab Accuse Indian Firm of Criminal Hacking for Hire
Surveillance researchers have tied numerous corporate espionage hack attacks to a small Indian cybersecurity firm, led by a man who's wanted by the FBI.
Citizen Lab, a think tank based at the Munk School of Global Affairs at the University of Toronto that investigates surveillance software and tracks spyware and phishing campaigns against human rights activists, dissidents, journalists and others, says it's been tracking this attack campaign for several years.
On Tuesday, Citizen Lab researchers published what they say is the first of multiple, planned reports into the activities of "Dark Basin." That's their name for a criminal, "hack for hire" operation that hit thousands of targets in recent years with phishing attacks designed to give attackers' remote access to targets' systems, cloud-based email accounts and more. Alleged targets ranged from government officials and climate-change activists to financial services and pharmaceutical firms.
"We link Dark Basin's activity with high confidence to individuals working at an Indian company named BellTroX InfoTech Services, also known as 'BellTroX D|G|TAL Security,' and possibly other names," according to Citizen Lab's report.
BellTroX, based in New Delhi, did not immediately respond to a request for comment sent to an email address previously listed on its website as being a primary point of contact.
'You Desire, We Do!'
BellTroX's corporate slogan, according to its website, is: "You desire, we do!"
In terms of what exactly it might do, the company's LinkedIn page suggests it is a transcription service. "Established in 2011, BellTroX InfoTech Services has grown into one of the world's premier transcription and digital dictation provider for numerous hospitals, clinics, expert witnesses, independent practitioners and commercial organizations," it says.
The company's website, meanwhile, until recently said the company offered a range of services, ranging from medical transcription and information security consulting services to web development and training.
But since Sunday, the website has been inactive, and data previously stored on a site's hosting service appears to have been deleted, Citizen Lab reports. The domain name, first registered in 2012, now resolves to a static page saying: "This account has been suspended."
Thousands of Targets
At least one of the services offered by BellTroX was corporate espionage, according to Citizen Lab.
"Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies," Citizen Lab says. "Troublingly, Dark Basin has extensively targeted American advocacy organizations working on domestic and global issues. These targets include climate advocacy organizations and net neutrality campaigners."
Citizen Lab says it has "notified hundreds of targeted individuals and institutions" about Dark Basin's efforts, and also "provided them with assistance in tracking and identifying the campaign," and in some cases, at their request, sharing details with the U.S. Department of Justice.
Wanted: Sumit Gupta
Sumit Gupta, the director of BellTroX, was previously charged in California federal court with participating in a criminal hacking scheme.
In 2015, the Justice Department unsealed an indictment against five men, including two private investigators, as well as Gupta, aka Sumit Vishnoi - then 26 years old. All five were charged "with crimes related to a conspiracy to access the email accounts, Skype accounts, and computers" of clients of the two private investigators, according to the indictment, which describes Gupta as being one of two hackers they hired "to access the email accounts, Skype accounts and protected computers of individuals without authorization."
NEW REPORT: Dark Basin: Uncovering a Massive Hack-For-Hire Operation https://t.co/p1PAJJCos5— Citizen Lab (@citizenlab) June 9, 2020
Citizen Lab says that multiple details of the attacks it ascribes to Dark Basin parallel allegations against Gupta included in the 2015 indictment.
Some individuals designated as being employees of BellTroX on LinkedIn also list offensive hacking skills. One, for example, lists his skills as being "cyber specialist, email penetration, corporate espionage, phone pinger, ORM specialist." Object-Relational Mapping is a technique that can be used to construct injection attacks against databases.
Also on LinkedIn, BellTroX has testimonials from numerous individuals working in law enforcement and corporate intelligence, including some Canadian and U.S. government employees. "A LinkedIn endorsement may be completely innocuous, and is not proof that an individual has contracted with BellTroX for hacking or other activity," Citizen Lab says. "However, it does raise questions as to the nature of the relationship between some of those who posted endorsements and BellTroX."
Employees Allegedly Boasted About Attacks
Multiple details appear to reinforce that Dark Basin's operators were Indian and working in India, including the repeat use of custom-built link-shortening services named Holi, Rongali and Pochanchi, of which the first two are names of Hindu festivals, while the latter appears to be "a transliteration of the Bengali word for '55,'" according to Citizen Lab.
Researchers said they found online a copy of BellTroX's phishing kit source code, as well as log files detailing testing activity, which uses the same time zone as India.
Citizen Lab says employees also boasted online about conducting some attacks that traced back to link-shortening services seen in multiple BellTroX hack attacks.
"We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners," Citizen Lab says. "They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including 'Ethical Hacking' and 'Certified Ethical Hacker.'"
Attacks Unraveled via Link Shortening
Key to unraveling Dark Basin's activities was its use of the three aforementioned, custom link-shortening services, which Citizen Lab said would generate sequentially numbered short links. Thanks to that behavior, "we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets," it says.
"While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation," Citizen Lab adds. "Dark Basin's targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal."
One group of activists targeted by BellTroX, for example, were working on a campaign called #ExxonKnew, designed to detail the company's approach to climate change. Citizen Lab says the activists were targeted by short URLs created by BellTroX, and notes that many of the activists suspected that their communications were being leaked.
ExxonMobil, one of the world's largest publicly traded international oil and gas companies, in January issued a statement saying that "ExxonKnew is an orchestrated campaign that seeks to delegitimize ExxonMobil and misinterpret our climate change position and research."
But in January 2018, New York's attorney general filed a lawsuit against ExxonMobil, alleging that the company misled investors about its climate-change practices.
Nation-State Attack Parallels
Researchers' ability to unravel the Dark Basin attacks parallels previous work by Citizen Lab, which helped trace phishing campaigns to Russia's GRU military intelligence agency. One such campaign, for example, targeted numerous U.S. politicians. One of the most high-profile victims was John Podesta, Hillary Clinton's 2016 presidential campaign chairman, who clicked on a phishing message disguised as a legitimate Google security communication (see: Nation-State Spear Phishing Attacks Remain Alive and Well).
Citizen Lab in 2017 reported that those attackers had used Tiny.cc, a legitimate link-shortening service, to make the emails appear to have come from Google. But the service had "predictable features that enabled us to discover some other links likely used by the same operators," the researchers said, noting that they'd recovered 223 malicious links that appeared to have been sued against at least 218 different individuals. Citizen Lab did not attribute those attacks to any individuals or organizations (see: Tainted Leaks: Researchers Unravel Cyber-Espionage Attacks).
But U.S. prosecutors have said that Podesta was targeted by the same GRU officers who targeted the Democratic Congressional Campaign Committee and the Democratic National Committee in 2015 and 2016, ahead of that year's 2016 U.S. presidential election. Stolen data was leaked via the DCleaks.com website, via a WordPress run by the Russian government's fake Guccifer 2.0 hacker person and later, WikiLeaks (see: Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').