Anti-Phishing, DMARC , Cybercrime , Cybercrime as-a-service

Phishing Attacks Traced to Indian Commercial Espionage Firm

Researchers at Citizen Lab Accuse Indian Firm of Criminal Hacking for Hire
Phishing Attacks Traced to Indian Commercial Espionage Firm
Some of the phishing messages sent by Dark Basin that targeted activists. These purported to be Google News updates concerning ExxonMobil. (Source: Citizen Lab)

Surveillance researchers have tied numerous corporate espionage hack attacks to a small Indian cybersecurity firm, led by a man who's wanted by the FBI.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Citizen Lab, a think tank based at the Munk School of Global Affairs at the University of Toronto that investigates surveillance software and tracks spyware and phishing campaigns against human rights activists, dissidents, journalists and others, says it's been tracking this attack campaign for several years.

On Tuesday, Citizen Lab researchers published what they say is the first of multiple, planned reports into the activities of "Dark Basin." That's their name for a criminal, "hack for hire" operation that hit thousands of targets in recent years with phishing attacks designed to give attackers' remote access to targets' systems, cloud-based email accounts and more. Alleged targets ranged from government officials and climate-change activists to financial services and pharmaceutical firms.

"We link Dark Basin’s activity with high confidence to individuals working at an Indian company named BellTroX InfoTech Services, also known as 'BellTroX D|G|TAL Security,' and possibly other names," according to Citizen Lab's report.

BellTroX's website as it appeared on June 28, 2019. (Source: Wayback Machine)

BellTroX, based in New Delhi, did not immediately respond to a request for comment sent to an email address previously listed on its website as being a primary point of contact.

Citizen Lab and NortonLifeLock, which tracks Dark Basin under the name "Mercenary.Amanda," have released indicators of compromise tied to the group, in multiple formats, via GitHub.

'You Desire, We Do!'

BellTroX's corporate slogan, according to its website, is: "You desire, we do!"

In terms of what exactly it might do, the company's LinkedIn page suggests it is a transcription service. "Established in 2011, BellTroX InfoTech Services has grown into one of the world's premier transcription and digital dictation provider for numerous hospitals, clinics, expert witnesses, independent practitioners and commercial organizations," it says.

The company's website, meanwhile, until recently said the company offered a range of services, ranging from medical transcription and information security consulting services to web development and training.

But since Sunday, the website has been inactive, and data previously stored on a site's hosting service appears to have been deleted, Citizen Lab reports. The domain name, first registered in 2012, now resolves to a static page saying: "This account has been suspended."

Thousands of Targets

At least one of the services offered by BellTroX was corporate espionage, according to Citizen Lab.

"Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies," Citizen Lab says. "Troublingly, Dark Basin has extensively targeted American advocacy organizations working on domestic and global issues. These targets include climate advocacy organizations and net neutrality campaigners."

Citizen Lab says it has "notified hundreds of targeted individuals and institutions" about Dark Basin's efforts, and also "provided them with assistance in tracking and identifying the campaign," and in some cases, at their request, sharing details with the U.S. Department of Justice.

Wanted: Sumit Gupta

Sumit Gupta, the director of BellTroX, was previously charged in California federal court with participating in a criminal hacking scheme.

In 2015, the Justice Department unsealed an indictment against five men, including two private investigators, as well as Gupta, aka Sumit Vishnoi - then 26 years old. All five were charged "with crimes related to a conspiracy to access the email accounts, Skype accounts, and computers" of clients of the two private investigators, according to the indictment, which describes Gupta as being one of two hackers they hired "to access the email accounts, Skype accounts and protected computers of individuals without authorization."

Citizen Lab says that multiple details of the attacks it ascribes to Dark Basin parallel allegations against Gupta included in the 2015 indictment.

Some individuals designated as being employees of BellTroX on LinkedIn also list offensive hacking skills. One, for example, lists his skills as being "cyber specialist, email penetration, corporate espionage, phone pinger, ORM specialist." Object-Relational Mapping is a technique that can be used to construct injection attacks against databases.

Also on LinkedIn, BellTroX has testimonials from numerous individuals working in law enforcement and corporate intelligence, including some Canadian and U.S. government employees. "A LinkedIn endorsement may be completely innocuous, and is not proof that an individual has contracted with BellTroX for hacking or other activity," Citizen Lab says. "However, it does raise questions as to the nature of the relationship between some of those who posted endorsements and BellTroX."

Employees Allegedly Boasted About Attacks

Multiple details appear to reinforce that Dark Basin's operators were Indian and working in India, including the repeat use of custom-built link-shortening services named Holi, Rongali and Pochanchi, of which the first two are names of Hindu festivals, while the latter appears to be "a transliteration of the Bengali word for '55,'" according to Citizen Lab.

Researchers said they found online a copy of BellTroX's phishing kit source code, as well as log files detailing testing activity, which uses the same time zone as India.

Citizen Lab says employees also boasted online about conducting some attacks that traced back to link-shortening services seen in multiple BellTroX hack attacks.

"We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners," Citizen Lab says. "They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including 'Ethical Hacking' and 'Certified Ethical Hacker.'"

Attacks Unraveled via Link Shortening

Key to unraveling Dark Basin's activities was its use of the three aforementioned, custom link-shortening services, which Citizen Lab said would generate sequentially numbered short links. Thanks to that behavior, "we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets," it says.

"While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation," Citizen Lab adds. "Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal."

Some of the thousands of different phishing messages tied to Dark Basin referenced "confidential information and notifications concerning ExxonMobil sent to individuals at advocacy organizations." (Source: Citizen Lab)

One group of activists targeted by BellTroX, for example, were working on a campaign called #ExxonKnew, designed to detail the company's approach to climate change. Citizen Lab says the activists were targeted by short URLs created by BellTroX, and notes that many of the activists suspected that their communications were being leaked.

ExxonMobil, one of the world's largest publicly traded international oil and gas companies, in January issued a statement saying that "ExxonKnew is an orchestrated campaign that seeks to delegitimize ExxonMobil and misinterpret our climate change position and research."

But in January 2018, New York’s attorney general filed a lawsuit against ExxonMobil, alleging that the company misled investors about its climate-change practices.

Nation-State Attack Parallels

Researchers' ability to unravel the Dark Basin attacks parallels previous work by Citizen Lab, which helped trace phishing campaigns to Russia's GRU military intelligence agency. One such campaign, for example, targeted numerous U.S. politicians. One of the most high-profile victims was John Podesta, Hillary Clinton's 2016 presidential campaign chairman, who clicked on a phishing message disguised as a legitimate Google security communication (see: Nation-State Spear Phishing Attacks Remain Alive and Well).

The phishing attack against John Podesta used an email with a "Change Password" link, on left, that led to a Bit.ly link that resolved to a fake Google Account log-in screen, on right. (Source: Pwn All The Things, via WikiLeaks dump of Podesta's emails.)

Citizen Lab in 2017 reported that those attackers had used Tiny.cc, a legitimate link-shortening service, to make the emails appear to have come from Google. But the service had "predictable features that enabled us to discover some other links likely used by the same operators," the researchers said, noting that they'd recovered 223 malicious links that appeared to have been sued against at least 218 different individuals. Citizen Lab did not attribute those attacks to any individuals or organizations (see: Tainted Leaks: Researchers Unravel Cyber-Espionage Attacks).

But U.S. prosecutors have said that Podesta was targeted by the same GRU officers who targeted the Democratic Congressional Campaign Committee and the Democratic National Committee in 2015 and 2016, ahead of that year's 2016 U.S. presidential election. Stolen data was leaked via the DCleaks.com website, via a WordPress run by the Russian government's fake Guccifer 2.0 hacker person and later, WikiLeaks (see: Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.