A hack-for-hire group known as Dark Basin is responsible for cyber activities that “threaten civil society and democracy,” according to a new report from The Citizen Lab.
The group has wreaked havoc on six continents, targeting thousands of individuals, including journalists, elected and senior government officials, as well as hundreds of institutions such as advocacy groups, hedge funds and multiple industries.
Sometimes Dark Basin’s hacktivism takes on specific causes, such as #ExxonKnew, in which the oil company was accused of hiding information about climate change for years.
“Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy,” the Canadian academic think tank said.
Among the findings detailed in the report:
- Dark Basin was the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.
- Citizen Lab links Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities. BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme.
“It is clear that Dark Basin operators were successful with at least some of their phishing campaigns,” the report said, adding that in cases observed by targets, Dark Basin was observed using commodity VPNs to access accounts using stolen credentials.
In regard to the ties between Dark Basin and BellTroX, the lab connected between the two entities phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links.
The shortener turned out to be part of a larger network of custom URL shorteners operated by a single group, which Citizen Lab dubbed “Dark Basin.”
These shorteners created URLs with sequential shortcodes, from which the researchers were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets. Citizen Lab used open-source intelligence techniques to identify hundreds of targeted individuals and organizations, and later contacted a “substantial fraction” of them, assembling a global picture of Dark Basin’s targeting.
Citizen Lab admitted it initially thought Dark Basin might be state-sponsored, but the range of targets “soon made it clear that Dark Basin was likely a hack-for-hire operation,” with targets often on only one side of a contested legal proceeding, advocacy issue, or business deal.
Timestamps in hundreds of Dark Basin phishing emails appear to be consistent with working hours in India’s UTC+5:30 time zone. Citizen Lab noted EFF discovered the same timing correlations in a prior investigation of phishing messages targeting net neutrality advocacy groups, which it also links to Dark Basin.
Citizen Lab said Dark Basin left copies of its phishing kit source code available openly online, as well as log files showing testing activity. The logging code invoked by the phishing kit recorded timestamps in UTC+5:30, and log files show that Dark Basin appeared to conduct some testing using an IP address in India.
According to Citizen Lab, BellTroX and its employees use euphemisms for promoting their services online, including “Ethical Hacking” and “Certified Ethical Hacker.” BellTroX’s slogan is: “you desire, we do!”
As recently as June 7, Citizen Lab said it observed that the BellTroX website began serving an error message. In addition, recent postings and other materials linking BellTroX to these operations have been recently deleted, the report stated.
Among organizations targeted by Dark Basin consenting to be included in the Citizen Lab report are:
- Rockefeller Family Fund
- Climate Investigations Center
- Greenpeace
- Center for International Environmental Law
- Oil Change International
- Public Citizen
- Conservation Law Foundation
- Union of Concerned Scientists
- M+R Strategic Services
- 350.org