Dark Basin

Last updated
Dark Basin
Type Advanced persistent threat
Purpose Cyberespionage
Region
India
Methods Spear phishing
Parent organization
BellTroX InfoTech Services
Affiliations Wirecard, ExxonMobil

Dark Basin is a hack-for-hire group, discovered in 2017 by Citizen Lab. [1] They are suspected to have acted on the behalf of companies such as Wirecard [2] and ExxonMobil. [3]

Contents

Background

In 2015, Matthew Earl, a managing partner at ShadowFall Capital & Research, began to study Wirecard AG hoping to short sell them. Wirecard had just announced the purchase of Great Indian Retail Group for $254 million, [4] which seemed overpriced to Earl. In February 2016, he started to write publicly about his discoveries under the alias Zatarra Research & Investigations, [5] accusing Wirecard of corruption, corporate fraud, and money laundering. [6]

Soon after, the identity of Zatarra Research & Investigations was revealed online, along with surveillance pictures of Earl in front of his house. Earl quickly realized that he was being followed. Employees from Jones Day, a law firm representing Wirecard, [7] came to visit Earl and gave him a letter, accusing him of collusion, conspiracy, defamation, libel, and market manipulation. [8] Earl also started to receive targeted phishing emails, appearing to be from his friends and family members. [2] In the spring of 2017, Earl shared those emails with Citizen Lab, a research laboratory specializing in information control. [8]

Citizen Lab's investigation

Initial findings

Citizen Lab discovered that the attackers were using a custom URL shortener that allowed enumeration, giving them access to a list of 28,000 URLs. Some of those URLs redirected to websites looking like Gmail, Facebook, LinkedIn, Dropbox or various webmails – each page customized with the name of the victim, asking the user to re-enter their password. [9]

Citizen Lab baptized this hacker group 'Dark Basin' and identified several clusters among the victims: [1]

The variety of targets made Citizen Lab think of a mercenary activity. The research laboratory confirmed that some of these attacks were successful.

Several clues allowed Citizen Lab to assert with high confidence that Dark Basin was based in India. [1]

Working hours

Timestamps in Dark Basin phishing emails were consistent with working hours in India, which has only one timezone: UTC+5:30. [1]

Cultural references

The instances of the URL shortening service used by Dark Basin had names related to Indian culture: Holi, Rongali and Pochanchi. [1]

Phishing kit

Dark Basin let their phishing kit source code, including some log files, available online. The source code was configured to print timestamps in India's timezone. The log file, that showed some testing activity, included an IP address based in India. [1]

Citizen Lab believes with high confidence, that BellTroX, also known as BellTroX InfoTech Services and BellTroX D|G|TAL Security, is the company behind Dark Basin. [1] BellTroX, a Delhi-based company, [11] advertises on its website doing activities such as penetration testing, certified ethical hacking, and medical transcription. BellTroX employees are described as noisy [1] and were often posting publicly about their illegal activities. [1] BellTroX's founder Sumit Guptra [12] has been previously indicted and charged in the United States for a hack-for-hire scheme on the behalf of ViSalus. [13]

BellTroX used the CV of one of their employees to test Dark Basin's URL shortener. They also publicly posted screenshots of links to Dark Basin's infrastructure. [1]

Hundreds of people, working in corporate intelligence and private investigation, endorsed BellTroX on LinkedIn. Some of them are suspected to be possible clients. Those endorsements included a Canadian government official, an investigator at the US Federal Trade Commission, law enforcement officers and private investigators with prior roles in the FBI, police, military and other branches of government. [1]

On June 7, 2020, BellTroX took down their website. [1] In December 2021, Meta (Facebook) banned BellTroX as a "cyber-mercenary" group. [14] [15]

Reactions

Both Wirecard and ExxonMobil have denied any involvement with Dark Basin. [16] [17]

Related Research Articles

Mobil is a petroleum brand owned and operated by American oil and gas corporation ExxonMobil. The brand was formerly owned and operated by an oil and gas corporation of the same name, which itself merged with Exxon to form ExxonMobil in 1999.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime is a type of crime involving a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

<span class="mw-page-title-main">Phishing</span> Attempt to trick a person into revealing information

Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Social engineering (security)</span> Psychological manipulation of people into performing actions or divulging confidential information

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."

Wirecard AG is an insolvent German payment processor and financial services provider whose former CEO, COO, two board members, and other executives have been arrested or otherwise implicated in criminal proceedings. In June 2020, the company announced that €1.9 billion in cash was missing. It owed €3.2 billion in debt. In November 2020, the company was dismantled after it sold the assets of its main business unit to Santander Bank for €100 million. Other assets, including its North American, UK and Brazilian units had been previously sold at nondisclosed prices. The company offered electronic payment transaction services and risk management, and issued and processed physical and virtual cards. As of 2017, the company was listed on the Frankfurt Stock Exchange, and was a part of the DAX stock index from September 2018 to August 2020.

ExxonMobil Corporation is an American multinational oil and gas corporation and the largest direct descendant of John D. Rockefeller's Standard Oil. The company, which took its present name in 1999 per the merger of Exxon and Mobil, is vertically integrated across the entire oil and gas industry, and within it is also a chemicals division which produces plastic, synthetic rubber, and other chemical products. ExxonMobil is headquartered in the Houston suburb of Spring, though officially incorporated in New Jersey.

Greenpeace USA is the United States affiliate of Greenpeace International, an environmental nonprofit organization that spawned a social movement inspired by direct actions on the high seas to stop whaling and nuclear testing. Headquartered in Washington D.C., Greenpeace U.S.A. operates with an annual budget of approximately $40 million, employing over 500 people in 2020. The organization relies on donations from members, refuses corporate contributions and refrains from endorsing political candidates, though in 2020 Greenpeace USA issued climate scorecards for presidential candidates and ranked them from best to worst on climate

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

<span class="mw-page-title-main">2013 Mayflower oil spill</span>

The 2013 Mayflower oil spill occurred on March 29, 2013, when the Pegasus Pipeline, owned by ExxonMobil and carrying Canadian Wabasca heavy crude from the Athabasca oil sands, ruptured in Mayflower, Arkansas, about 25 miles (40 km) northwest of Little Rock releasing about 3,190 barrels of oil. Approximately 3,190 barrels of oil and water mix was recovered. Twenty-two homes were evacuated. The United States Environmental Protection Agency (EPA) classified the leak as a major spill.

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the Web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.

DarkHotel is a targeted spear-phishing spyware and malware-spreading campaign that appears to be selectively attacking business hotel visitors through the hotel's in-house WiFi network. It is characterized by Kaspersky Lab as an advanced persistent threat.

<span class="mw-page-title-main">Carding (fraud)</span> Crime involving the trafficking of credit card data

Carding is a term describing the trafficking and unauthorized use of credit cards. The stolen credit cards or credit card numbers are then used to buy prepaid gift cards to cover up the tracks. Activities also encompass exploitation of personal data, and money laundering techniques. Modern carding sites have been described as full-service commercial entities.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This probably refers to its Military Unit Number.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that can be covertly installed on mobile phones running most versions of iOS and Android. Pegasus is able to exploit iOS versions up to 14.7, through a zero-click exploit. As of 2022, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps. The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent "flying through the air" to infect cell phones.

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

DarkMatter Group is a computer security company founded in the United Arab Emirates (UAE) in 2014 or 2015. The company describes itself as a purely defensive company.

GnosticPlayers is a computer hacking group, which is believed to have been formed in 2019 and gained notability for hacking Zynga, Canva, and several other online services.

<span class="mw-page-title-main">Wirecard scandal</span> Series of accounting scandals in Germany

The Wirecard scandal was a series of corrupt business practices and fraudulent financial reporting that led to the insolvency of Wirecard, a payment processor and financial services provider, headquartered in Munich, Germany. The company was part of the DAX index. They offered customers electronic payment transaction and risk management services, as well as the issuance and processing of physical cards. The subsidiary, Wirecard Bank AG, held a banking license and had contracts with multiple international financial services companies.

ExxonMobil, an American multinational oil and gas corporation presently based out of Texas, has had one of the longest histories of any company in its industry. A direct descendant of John D. Rockefeller's Standard Oil, the company traces its roots as far back as 1886 to the founding of the Vacuum Oil Company, which would become part of ExxonMobil through its own merger with Mobil during the 1930s. The present name of the company comes from a 1999 merger of Standard Oil's New Jersey and New York successors, which adopted the names Exxon and Mobil respectively throughout the middle of the 20th century. Because of Standard Oil of New Jersey's ownership over all Standard Oil assets at the time of the 1911 breakup, ExxonMobil is seen by some as the definitive continuation of Standard Oil today.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 Scott-Railton, John; Hulcoop, Adam; Razzak, Bahr Abdul; Marczak, Bill; Anstis, Siena; Deibert, Ron (2020-06-09). "Dark Basin - Uncovering a Massive Hack-For-Hire Operation". Citizen Lab. Archived from the original on 2020-09-30. Retrieved 2021-02-28.
  2. 1 2 Rosin, Hanna (2020-06-09). "Dark Basin: Global Hack-For-Hire Organization That Targeted Thousands Over The Years". All Things Considered . NPR. Archived from the original on 2020-11-15. Retrieved 2021-02-28.
  3. Murphy, Paul (2020-06-09). "Paid hackers targeted thousands of people and hundreds of institutions worldwide, report says". Financial Times . Archived from the original on 2020-06-26. Retrieved 2021-02-28 via the Los Angeles Times .
  4. "Wirecard buys Great Indian Retail Group payments business". Reuters . 2015-10-27. Archived from the original on 2021-03-01. Retrieved 2021-02-28.
  5. O'Donnell, John (2020-07-16). "Germany's long, lonely campaign: Battling Wirecard's short sellers". Reuters . Archived from the original on 2020-11-19. Retrieved 2021-02-28.
  6. Davies, Paul J. (2020-06-22). "Short sellers made $2.6 bln off Wirecard plunge". MarketWatch. Archived from the original on 2021-02-05. Retrieved 2021-02-28.
  7. Davies, Paul J.; Chung, Juliet (2020-06-20). "Short Sellers Made $2.6 Billion Off Wirecard's Plunge, but Not Without Scars" . The Wall Street Journal . Archived from the original on 2020-06-20. Retrieved 2021-02-28.
  8. 1 2 "Dark Basin – Darknet Diaries". Darknet Diaries. 2020-10-24.
  9. Galperin, Eva; Quintin, Cooper (2017-09-27). "Phish For the Future". Electronic Frontier Foundation. Archived from the original on 2021-01-16. Retrieved 2021-02-28.
  10. Hong, Nicole; Meier, Barry; Bergman, Ronen (2020-06-10). "Environmentalists Targeted Exxon Mobil. Then Hackers Targeted Them" . The New York Times . Archived from the original on 2021-02-01. Retrieved 2021-02-28.
  11. Stubbs, Jack; Satter, Raphael; Bing, Christopher (9 June 2020). "Obscure Indian cyber firm spied on politicians, investors worldwide". Reuters . Archived from the original on 26 January 2021.
  12. Kumar, Ankit (2020-06-09). "Dark Basin: Delhi-based "Hack-for-Hire" firm exposed for hacking politicians, non-profits globally". India Today . Archived from the original on 2020-06-27. Retrieved 2021-02-28.
  13. "Private Investigators Indicted In E-Mail Hacking Scheme" (Press release). United States Attorney for the Northern District of California. 2015-02-11. Archived from the original on 2021-01-07. Retrieved 2021-02-28.
  14. "Meta releases new threat report on surveillance for hire industry". The Economic Times. 17 December 2021. Archived from the original on 17 December 2021.
  15. Dvilyanski, Mike; Agranovich, David; Gleicher, Nathaniel (16 December 2021). "Threat Report on the Surveillance-for-Hire Industry" (PDF). Meta. Archived (PDF) from the original on 16 December 2021.
  16. Porter, Jon (2020-06-10). "Researchers detail huge hack-for-hire campaigns against environmentalists". The Verge . Archived from the original on 2020-06-10. Retrieved 2021-02-28.
  17. Murphy, Paul (2021-06-09). "Toronto's Citizen Lab uncovers massive hackers-for-hire organization 'Dark Basin' that has targeted hundreds of institutions on six continents". Financial Times . Archived from the original on 2021-01-25. Retrieved 2021-02-28 via the Financial Post .