‘Dark Basin’ hacking group targeted thousands in hack-for-hire scheme

A group based in India has been exposed as being behind the hacking of thousands across the globe for at least seven years as part of a hack-for-hire scheme.

This article first appeared on Silicon Angle.

Dubbed Dark Basin in a report into the group released today by The Citizen Lab, the group is tied to Indian company BellTrox InfoTech Services Pvt Ltd. It’s believed to have targeted advocacy groups and journalists, elected and senior government officials, hedge funds and multiple industries.

Although the clients of the hacking group are unknown, targets are said to include equity giant KKR, short seller Muddy Waters Research and #ExxonKnew, a campaign against ExxonMobil. Dark Basin is also linked to phishing campaigns targeting organizations that work on net neutrality advocacy.

Phishing is key to the hacking campaign with Reuters reporting that it had reviewed a cache of data from the hacking group that detailed tens of thousands of malicious emails sent by BellTroX between 2013 and 2020.

BellTrox owner Sumit Gupta was previously charged in a 2015 hacking case in which U.S. private investigators said that they had paid him to hack the accounts of marketing executives. Gupta denies being involved in hacking, saying that he only assisted private investigators to download messages from email inboxes after being provided with login details.

“The Citizen Lab’s report reads like a movie script,” Colin Bastable, chief executive officer of security awareness training firm Lucy Security AG, told SiliconANGLE. “Half the time I’m thinking that the bad guys left so many trails that it must be an exercise in misdirection. Only state actors could pull something like this together.”

He added that “the quality of the phishing site landing pages is excellent and the English grammar is very good — too good, unless you were running a very professional well-financed and targeted operation. The subdomains are also well-designed, especially for mobile users. The URL shorteners, the five-and-a-half-hour time zone difference and the different email address which tie back to BellTroX are all very interesting.”

Chris Rothe, co-founder and chief product officer at threat detection company Red Canary Inc., noted that although the investigation doesn’t conclusively show any major damage to the targets, it does show the usage of techniques consistent with those used by many hackers attacking corporations and individuals alike. “While there is nothing groundbreaking about the techniques employed, it is a good reminder that attacks can come from all angles including business or political adversaries,” he said.

Paul Bischoff, privacy advocate with tech research firm Comparitech Ltd., said the most striking part of the Dark Basin operation is how it was able to advertise its services openly without consequence.

“I have to wonder, even after Citizen Lab’s report, if authorities will go after Dark Basin,” Bischoff said. “India is home to many phishing and scam operations that go about their business in broad daylight. Even if Dark Basin is shut down, another hack-for-hire business could replace it. So perhaps the best course of action is further investigation to reveal its clients and take legal action against them.”