The authors report that
Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation. We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities.Citizen Lab has notified hundreds of targeted individuals and institutions and (at the request of several targets) shared information about the argeting with the US Department of Justice (DOJ).
The report states
We give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, we link Dark Basin to BellTroX InfoTech Services (“BellTroX”), an India-based technology company.
Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific clusters of targets and Dark Basin’s activities.
Thousands of Targets Emerge
In 2017, Citizen Lab was contacted by a journalist who had been targeted with phishing attempts and asked if we could investigate. We linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links.
We subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group, which we call Dark Basin. Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets. We used open source intelligence techniques to identify hundreds of targeted individuals and organizations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting.
Our investigation yielded several clusters of interest that we will describe in this report, including two clusters of advocacy organizations in the United States working on climate change and net neutrality.
While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation. Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal. ...
Links to an Indian Operator
We link Dark Basin’s activity with high confidence to individuals working at an Indian company named BellTroX InfoTech Services (also known as “BellTroX D|G|TAL Security,” and possibly other names). BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme. ... Along with our collaborators at NortonLifeLock, we have unearthed numerous technical links between the campaigns described in this report and individuals associated with BellTroX. These links lead us to conclude with high confidence that Dark Basin is linked to BellTroX.
We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including “Ethical Hacking” and “Certified Ethical Hacker.” BellTroX’s slogan is: “you desire, we do!” ....
Targeting American Nonprofits, Journalists
Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies. Troublingly, Dark Basin has extensively targeted American advocacy organizations working on domestic and global issues. These targets include climate advocacy organizations and net neutrality campaigners.
Targeting American Environmental Organizations
We discovered a large cluster of targeted individuals and organizations that were engaged in environmental issues in the US. In the fall of 2017, Citizen Lab made contact with these groups and began working with them to determine the nature and scope of the targeting. We determined that these organizations were all linked to the #ExxonKnew campaign, which highlights documents that, the advocacy organizations argue, point to Exxon’s decades-long knowledge of climate change. According to the New York Times, the #ExxonKnew campaign has led to “exposés of the company’s research into climate change, including actions it took to incorporate climate projections into its exploration plans while playing down the threat.” The New York Times describes an intense legal battle between ExxonMobil, multiple states’ attorneys general, and organizations engaged in the #ExxonKnew campaign.
Targeted organizations consenting to be named in this report include: Rockefeller Family Fund, Climate Investigations Center, Greenpeace, Center for International Environmental Law, Oil Change International, Public Citizen, Conservation Law Foundation, Union of Concerned Scientists, M+R Strategic Services, and 350.orgThe authors conclude
Mercenary Intrusion: A Global Problem
Dark Basin’s thousands of targets illustrate that hack-for-hire is a serious problem for all sectors of society, from politics, advocacy and government to global commerce.
Many of Dark Basin’s targets have a strong but unconfirmed sense that the targeting is linked to a dispute or conflict with a particular party whom they know. However, absent a systematic investigation, it is difficult for most individuals to determine with certainty who undertakes these phishing campaigns and/or who may be contracting for such services, especially given that Dark Basin’s employees or executives are unlikely to be within the jurisdiction of their local law enforcement. Further, while many of the targets whom we contacted had a sense they were being phished in a targeted operation, many others did not share this awareness. These targets either concluded that they were being phished for an unknown reason, or simply did not notice the targeting against the background of unrelated phishing messages and spam.
We believe there is an important role for major online platforms who have the capacity to track and monitor groups like Dark Basin. We hope Google and others will continue to track and report such hack-for-hire operations. We also encourage online platforms to be proactive in notifying users that have been targeted by such groups, such as providing detailed warnings beyond generic notifications to help enable targets to recognize the seriousness of the threat and take appropriate action.
Hacking for hire
Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry. Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations. Previous court cases indicate that similar operations to BellTroX have contracted through a murky set of contractual, payment, and information sharing layers that may include law firms and private investigators and which allow clients a degree of deniability and distance.
The growth of a hack-for-hire industry may be fueled by the increasing normalization of other forms of commercialized cyber offensive activity, from digital surveillance to “hacking back,” whether marketed to private individuals, governments or the private sector. Further, the growth of private intelligence firms, and the ubiquity of technology, may also be fueling an increasing demand for the types of services offered by BellTroX. At the same time, the growth of the private investigations industry may be contributing to making such cyber services more widely available and perceived as acceptable.
A clear danger to democracy
The rise of large-scale, commercialized hacking threatens civil society. As this report shows, it can be used as a tool of the powerful to target organizations that may not have sophisticated cybersecurity resources and consequently are vulnerable to such attacks.
For example, in a four-year-study, we concluded that digital threats undermined civil society organizations’ core communications and missions in a significant way, sometimes as a nuisance or resource drain, or more seriously as a major risk to individual safety. Citizen Lab has also previously researched and documented the harms of phishing campaigns against civil society around the globe.
We believe it is especially urgent that all parties involved in these phishing campaigns are held fully accountable. For this reason, and on the request of multiple targets of Dark Basin, Citizen Lab provided indicators and other materials to the US DOJ.