Thousands of individuals and hundreds of institutions on six continents have been targets of a hack-for-hire group since 2013, according to the University of Toronto-based internet watchdog Citizen Lab (opens in new tab).
The group, which Citizen Lab calls "Dark Basin," appears to have launched a range of attacks, often using spear-phishing emails, on advocacy groups, journalists, government officials, politicians, judges, lawyers, hedge funds and businesses.
- VPN: how they can protect you online and the best you can get
- Best antivirus: stay protected when online
- Just in: iPhone users can now transfer Signal data to new phones
"This is one of the largest spy-for-hire operations ever exposed," study co-author John Scott-Railton told Reuters.
A parallel investigation by NortonLifelock (opens in new tab), which calls the hacking group "Mercenary Amanda," reached the same conclusions.
NortonLifelock said more than half of the targeted entities were in the United States, and about one-third of the organizations and individuals targeted worldwide were in the financial sector. Others included law firms in the U.S., Europe and Israel, and political-consulting firms in the U.S.
The New York Times (opens in new tab) said a federal prosecutors in Manhattan had already interviewed environmental groups that received the phishing emails. An Israeli private investigator was arrested and indicted (opens in new tab) last year as part of an ongoing federal investigation.
Environmentalist, net-neutrality groups targeted
After being contacted in 2017 by a journalist who had been targeted, the Citizen Lab researchers went on to find nearly 28,000 custom URLs that were directed to a credential-phishing website operated by Dark Basin, according to the Financial Times (opens in new tab). The Financial Times also said the targeted journalist worked for Reuters.
Citizen Lab's researchers say that Dark Basin extensively targeted American nonprofit organisations, which included those working on a campaign that claims ExxonMobil had hidden information about climate change over a few decades.
About 9% of the targeted organisations campaign on important issues like climate change, environment and net neutrality.
They include the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Center for International Environmental Law, Oil Change International, Public Citizen, Conservation Law Foundation, the Union of Concerned Scientists, M+R Strategic Services and 350.org.
The spear-phishing campaign against two groups campaining for net neutrality, Free Press and Fight for the Future, was documented in a 2017 report by the Electronic Frontier Foundation (opens in new tab).
Other targeted groups included private-equity powerhouse KKR and stock-fraud investigative firm and short-seller Muddy Waters Research, according to Reuters.
“While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation," wrote the researchers. "Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal.”
Links to India
Citizen Lab believes that Dark Basin is linked to a New Delhi company called BellTroX InfoTech Services and BellTroX's related entities. BellTroX apparently advertised itself as providing "Ethical Hacking."
The researchers claim: “We link Dark Basin’s activity with high confidence to individuals working at an Indian company named BellTroX InfoTech Services (also known as BellTroX D|G|TAL Security, and possibly other names). BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme.”
Gupta, who remains a free man in India, insisted to Reuters (opens in new tab) that he had done nothing wrong. At the time of this writing, BellTrox's website (opens in new tab) had been suspended by its hosting provider, but archived versions of the site (opens in new tab) can be found on the Internet Archive's Wayback Machine.
The watchdog explained that hundreds of timestamps in these phishing emails were consistent with the working hours of India’s UTC+5:30 time zone, and that several of the group’s URL shortening services contained Indian names like Holi, Rongali and Pochanchi.
A San Diego-based private investigator told Reuters that a former BellTrox employee had offered services using "data penetration" and "email penetration." Two unnamed former BellTrox employees told Reuters the firm was often used by private investigators hired by businesses and politicians to dig up dirt on rivals.
- Read more: Quality and value - discover today's best cheap VPN