Global Email Phishing Attacks Allegedly Tied to India Services Provider
Tens of thousands of email accounts belonging to government officials, corporate leaders, U.S. non-profits and financial institutions were bombarded with phishing lures in a massive operation tied to an India-based IT security services provider.
Some notable U.S. companies, including private equity firm KKR and short seller Muddy Waters, are among a huge trove of email accounts assaulted over a seven-year period beginning in 2013 by hackers reportedly working for the New Delhi-based BellTroX Info Tech, also known as BellTroX D/G/TAL Security, reports said.
The phishers sought to trick the email recipients into handing over their personal credentials. In many cases, the malicious phishing sites mimicked web services from Google, Yahoo and Facebook. Some high value targets were sent more than one hundred phishing attempts using different content. Other targets included journalists and human rights defenders.
A hack-for-hire organization, referred to as Dark Basin, has been linked to BellTroX. The group reportedly conducted global commercial espionage on behalf of its clients, targeting thousands of individuals and organizations on six continents, according to Citizen Lab, an internet watchdog, which has researched the Dark Basin syndicate for more than two years. Dark Basin does not appear to be state-sponsored.
It’s not clear if Dark Basin has been commanding the phishing scheme. Citizen Lab said it had “high confidence” that BellTroX employees are behind the espionage operation. “This is one of the largest spy-for-hire operations ever exposed,” Citizen Lab researcher John Scott-Railton, told Reuters.
BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme. Gupta was reportedly never arrested in relation to the indictment. The U.S. Department of Justice is currently investigating BellTroX’s hacking involving American targets, Reuters said. At this point, BellTroX’s clients remain unidentified.
Gupta has denied the spying accusations and refused to say who hired him, claiming he had only worked with private investigators. “I didn’t help [private investigators] access anything, I just helped them with downloading the mails and they provided me all the details,” he told Reuters. “I am not aware how they got these details but I was just helping them with the technical support.” It is unclear why private investigators might need Gupta to download emails.
Google’s Threat Analysis Group (TAG) warned in a recent blog post of an uptick in new activity from several hack-for-hire India-based cyber phishers looking to capitalize on the coronavirus pandemic. The attackers are mostly ensnaring individuals in the U.S., the U.K., Bahrain, Canada, Cyprus, India and Slovenia with bogus email invitations to sign up for COVID-19 notifications from the World Health Organizations (WHO), TAG director Shane Huntley said. It’s unclear if Dark Basin is involved in that scheme.
Blossoming cyber activities such as digital surveillance and corporate “hacking back” strategies may be prodding hacking for hire. “Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry,” Citizen Lab said. “Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations.