In December of 2021, the United States Department of State announced a hack had been attempted on several State Department employees’ cellphones. The announcement revealed that the hack had occurred using Pegasus, spyware made by NSO, an Israeli company. The hack targeted U.S. State Department employees active in Uganda. In response, NSO claimed they were unaware of any such use of their technology and ensured clients in question could no longer use the platform.
This NSO case elevates concerns impacting national security and morals. It displays how these types of tactics and tools, once bought, can affect a target’s civil rights or a state’s national security. It also raises questions about the morality and ethics of this type of technology and service, and what legal barriers should be in place when selling this type of product or service. Already, we have seen Israel mandate that NSO obstruct Pegasus from targeting United States-based cell phone numbers, use the technology as a bargaining chip with Middle Eastern Gulf countries, and bar the company from selling the technology to Ukraine and Estonia for fear of damaging Israel’s diplomatic relations with Russia.
In this issue of Overwatch, we will focus on what this digital threat actor landscape looks like in a world where they can pose as legitimate information security companies while selling potentially illegal hacking technology and services to the highest bidder. We will draw on recently publicized cases to understand what is becoming a critical security issue for not only states but also private companies, civil society, and individuals.
Growing Demand for Hack-for-Hires
Hack-for-hire is the act of hiring a firm/individual or purchasing their technology to target someone and gain access to their digital devices for surveillance or theft. These groups are often called Mercenary Advanced Persistent Threat Groups (APTGs) or Private-Sector Offensive Actors (PSOAs) by companies such as Microsoft. While outfits participating in this activity can range from one individual or a small group, accusations against large information security firms engaging in this business are common.
An APTGs is “…a covert cyber-attack on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period.” These attacks often surveil activity and steal data rather than shut down a network or hold it hostage for ransom.
APTGs that engage in cyber-attacks are often linked to nations with adversarial relationships with the United States, such as Russia, China, North Korea, and Iran. However, the existence of mercenary APTGs shows a large and growing market for this type of service both in the private sector and in countries that may not have the resources or skill to establish their own outfits or technologies.
Different national laws surrounding computer hacking can create a grey area regarding the legality of such operations by private individuals or businesses. However, the tools, scope of work, and the hackers themselves, once hired, often have little consideration for national laws or boundaries.
Examples of the names used by targeted tech companies such as Meta or InfoTech Security companies like Norton, to track these types of groups can be seen on the map below. As displayed, attacks by these groups often cross national borders:
Frequently these groups can be tied back to legitimate businesses. This was the case with a mercenary APTG traced through the code name “Sourgum,” which was tracked back to an Israeli Surveillance firm named Candiru. More famously, an Indian InfoTech company named BellTroX InfoTech/BellTrox Services or BellTroX D|G|TAL Security (p) Ltd., was tied to the mercenary APTG group codenamed “Dark Basin.”
APTGs use a variety of methods to infiltrate systems. One of the most prominent tactics is phishing attacks, where an email or notification is sent to someone’s phone or computer, enticing engagement to gain access to their device. Additionally, an APTG looking to target a specific individual may practice a tactic called spear phishing, where publicly available information is leveraged to personalize the message, enticing an action from the receiver. An example of this type of tactic can be seen in the image below:
More advanced tactics include creating bootlegged versions of popular and high-traffic websites to prompt users to click a link, or even the creation of an application for exploitation. In this August 2021 tweet, an Islamic social media app, Jamaat, is accused of being a front for surveillance, enticing targets to download the application. A blog on the campaign showed that once downloaded, access is granted to the target’s phone information: contacts, storage, audio recording, location, camera, device settings, and call logs. The threat actor not only has access to the contents of their phone but can also surveil and track the phone’s owner.
Once information is retrieved by the mercenary APTG, the detection information can be delivered in several ways, a mass dump of data into paste bins or through the use of Internet dead drops. An Internet dead drop can be a link in a bio, post comment, or product description. The link contains an encryption key used to decipher and access information stored in a second dead drop.
Mercenary APTGs have been known to target several entities on behalf of governments and private individuals or businesses. The purposes of these cases have ranged from the discovery of evidence during litigation to targeting activists, journalists, and politicians or corporate espionage operations.
Downfall of BellTroX
Darkmatter is a recent example that came into the news last year, with a September 2021 press release by the U.S. Department of Justice stating that three former NSA employees had been fined over $1.68 million for their role in hacking operations. In place of criminal charges, the three were also banned from holding security clearances, pursuing work involving network exploitation, and receiving U.S. security clearances.
The severity of this punishment stems from several factors surrounding the case. None of the three men had received the proper license from the U.S government to work for the United Arab Emirates (UAE) in this capacity, shared classified information and techniques, and Darkmatter programs were used to target U.S. companies and individuals. These three, as well as other alleged former U.S. Intelligence Community members, were also implicated in launching an app called ToTok, which is suspected to be a surveillance tool used by the Emirati government. At the time of this brief, ToTok is still available in several app stores, including the Apple Store and the Galaxy Store.
Darkmatter and the government of the UAE deny charges that their actions and technologies were used to target Americans. Since 2019, Darkmatter and the UAE have been blacklisted from obtaining the status of internet security watchdog by many large technology services such as Mozilla Firefox and Google. Darkmatter is still an active company and continues to attract employees from large tech firms and even the U.S. Intelligence community. A look at the company’s SignalHire page, a corporate data aggregator, shows employees that worked for Microsoft/Dell, the Rand Corporation, Hewlett Packard/AT&T, Sony, Russian Tech companies, and most interestingly, the U.S. Army/ODNI. Darkmatter’s continued existence and client base reinforce how mercenaryAPTGs can operate in a grey zone under the sanction of their home state.
Unlike Darkmatter, not all organizations operate as openly. Insert, BellTroX. On the surface, BellTroX InfoTech Services looked like a legitimate information and technology security company based in New Delhi, India. The company’s now-deleted website claimed to provide services such as Medical Transcription, IT Security, Cyber Security, and training on how to spot malware and protect your company from cyber threats. In other words, the company claimed to be dealing only in defensive and preventative IT Security; however, as early as 2015, this turned out to be a lie.
In 2015, the United States Department of Justice indicted the company’s founder Sumit Gupta, AKA Sumit Vishnoi, in a case about email hacking by private investigators supporting a party in a litigation suit. Though indicted, Mr. Gupta’s residence in India prevented his apprehension, and the company continued to operate. Searches for Mr. Gupta revealed an archived post he made on the website web.pod.io promoting his business. In the post, Mr. Gupta, under the name Sumit Vishnoi, advertises the services of BellTroX to “Private Investigators, Corporate Lawyers, Corporate Investigators, Corporate Firms, Celebrities, Politicians.”
In 2020, a report released by The Citizen Lab out of the University of Toronto alleged that a notorious hack-for-hire group nicknamed Dark Basin was tied to BellTroX. The report claims a series of operations taken by the group targeted both foreign nationals and U.S. citizens. Some of the most prominent campaigns associated with the group were focused on activists and nonprofits orchestrating a movement called #ExxonKnew, which alleged the company had purposefully misconstrued and hit data about climate change, and a campaign against organizations pushing to uphold net neutrality in the U.S.
The release of this report sparked renewed interest leading to the arrest of Aviram Azari, a former employee of a covert surveillance unit in Israel by the Department of Justice (DOJ). Mr. Azari has been acting as a private detective in New York City and working with BellTroX on behalf of his clients to undertake a corporate espionage campaign against various hedge funds, according to court documents.
The publication of their identity as Dark Basin and the guilty pleas and cooperation of Mr. Azari is likely what led BellTrox to shut down its website and social media presence. To date, it is unclear in what capacity this group is still active. While the company’s digital footprint has been erased, including the company’s listing on Google, which lists it as permanently closed, the corporation is still registered as active according to an India-based corporate data aggregator, and Mr. Gupta has yet to be apprehended.
Adding to the evidence that the group is still active is the fact that Overwatch analysts were able to find a private Facebook group using the name and company logo. Analysts also found recent posts referencing Dark Basin’s hacking services on various sites and forums, including Blizzard. forum (a video game forum), Good Reads, Reddit, and even that a site compiled emails and domains used by Dark Basin to track the group.
Analysts searched the dark web to track the forum with partial success. During the investigation, analysts located an onion URL for another group called T3AMPOISON, which claims to be selling illegal hacking services.
Analysts did find a mirrored webpage potentially attributed to the group. The website’s header displays the name Dark Basin and claims hacking offerings such as: hacking of personal email and social media accounts, content removal from websites, spying into email accounts, and boosting/hacking credit scores. It is likely that even if this website is not attributed to the Dark Basin Mercenary APTG, the group still exists in some form despite the alleged closure of their front company BellTroX.
Considering the threat landscape and specific examples outlined above, Overwatch assesses that as the commercial environment and market share for open-source intelligence (OSINT) and information technology companies continue to expand, so will the number of bad actors in the space. This will make trusting your OSINT provider to follow legal and moral guidelines even more critical, as failure to do so could lead to legal issues and scandal down the road. In other words, ensuring the companies you work with practice #OSINT4GOOD will become even more important.
Additionally, Overwatch assesses that we will continue to see hacking services and technologies advertised by private companies to companies, individuals, and nation-states. This may lead to increased civil rights and legal violations, as what was once the purview of state intelligence and security apparatuses—constrained by legal codes, jurisdictions/authorities, and time-tested best practices—bleeds into the private sector, where national boundaries and jurisdiction mean little. This trend will continue to increase until the point in which the private sector either imposes its own standard operating procedures on the sale/use of hacking technology/services or has one imposed on them by state actors. This resolution, though, will not likely come for a long time as the creation of industry norms both organically and artificially is often a lengthy process.