Recently, a report revealed how researchers uncovered hacker-for-hire group involved in several data theft operations. Read on to know more…
Since at least 2015, a new cyber mercenary hacker-for-hire group known as “Void Balaur” has been linked to a string of cyberespionage and data theft operations targeting thousands of entities, including human rights activists, politicians, and government officials around the world for financial gain while remaining anonymous.
The adversary, named after a Romanian folklore dragon with many heads, has been unmasked for advertising its services and selling troves of sensitive information such as cell tower phone logs, passenger flight records, credit reports, banking data, SMS messages, and passport details in Russian-speaking underground forums dating back to 2017. “Rockethack” is the name of the threat actor.
Uncovering the Hacker-for-hire Group
Trend Micro Researcher Feike Hacquebord said in a newly published profile of the collective, “This hacker-for-hire group does not operate out of a physical building, nor does it have a shiny prospectus that describes its services,”
Hacquebord added “The group does not try to wriggle out of a difficult position by justifying its business, nor is it involved in lawsuits against anybody attempting to report on their activities. Instead, this group is quite open about what it does: breaking into email accounts and social media accounts for money,”
Apart from receiving near-unanimous positive feedback on the forums for its ability to provide quality information, Void Balaur is suspected of focusing on cryptocurrency exchanges by creating a slew of phishing sites to deceive cryptocurrency exchange users and gain unauthorised access to their wallets. Furthermore, the campaigns involved the use of information stealers and Android spyware like Z*Stealer and DroidWatcher against its targets.
The intrusion set used by Void Balaur has been observed against a wide range of people and organisations, including journalists, human rights activists, politicians, scientists, IVF clinic doctors, genomics and biotechnology companies, and telecom engineers. According to Trend Micro, the group targeted approximately 3,500 email addresses.
The researchers said “Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it,”. The rationale for the targeting of these people and organisations is still unknown.
It’s also unclear how the threat actor obtained sensitive phone and email records from the targets without interacting with them, though the researchers believe the threat actor may have gotten the data either directly (or indirectly) from rogue insiders at the companies in question, or by hacking into the accounts of key employees with access to the targeted email mailboxes.
Trend Micro’s deep-dive analysis also uncovered some common ground in the targeted email addresses between Void Balaur and another Russia-based advanced persistent threat group known as Pawn Storm (aka APT28, Sofacy, or Iron Twilight), with overlaps in the targeted email addresses between the two groups, while also significantly differing in a number of ways, including Void Balaur’s modus operandi of striking cryptocurrency users and their operational hours.
With a number of operations — BellTroX (aka Dark Basin), Bahamut, CostaRicto, and PowerPepper — exposed as targeting non-profits, financial institutions, and government agencies in recent months, the development once again highlights the rampantly growing illicit mercenary-related activities in cyberspace and the demand for such services.
Mitigation
To protect against these hacking attacks, it is safe to use two-factor authentication (2FA) via an authenticator app or a hardware security key, use apps that use end-to-end encryption (E2EE) for email and communications, and delete old, unwanted messages permanently to reduce the chance of data exposure.
The researchers noted “The reality is that regular internet users cannot easily deter a determined cyber mercenary,”
The researchers added that “While [advanced offensive tools in a cyber mercenary’s arsenal] might be meant to be used in the fight against terrorism and organized crime, the reality is that they — knowingly or unknowingly — end up in the hands of threat actors who use it against unwitting targets.”