Share this article on:
Google Threat Analysis Group (TAG) has exposed hack-for-hire groups operating in Russia, India and the United Arab Emirates (UAE), targeting activists and sensitive data.
In a blog post released this week, Google TAG found some hack-for-hire groups have openly advertised their services with many groups operating across the globe.
According to Google TAG researchers, the hack-for-hire adversaries are focused on exfiltrating data and on compromising accounts, conducting corporate espionage and targeting high-risk users, including human rights organisations, political activists, journalists and others "operating in sensitive online spaces".
The hack-for-hire landscape is fluid, according to Shane Huntley, director, at Google Threat Analysis Group, both in how the attackers organise themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients, he explained.
"Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more discreetly selling to a limited audience," Huntley wrote in the Google TAG blog.
Using various methods to pursue their targets, the hack-for-hire groups have been observed soliciting business from a select group of potential clients and some groups have opted to advertising their services according to researchers.
Google TAG tracked a group of India-based threat actors and have linked former employees of offensive security firms that include Appin and Belltrox to a new firm called Rebsec, openly advertising corporate espionage.
The Russia-linked group, known as Void Balaur, was discovered while investigating a 2017 campaign against a journalist. The threat actor was seen targeting other journalists, non-governmental organisations (NGOs), non-profits and politicians.
Another set of actors launched credential phishing campaigns against targets in Saudi Arabia, the UAE and Bahrain, with a particular focus on government, telecom and health care. Google TAG researchers found the activity has focused on compromising Google, Amazon Web Services accounts and in some cases, specific government agencies.
The attackers have been observed to employ "bait" that include fake Gmail accounts or spoofed Russian government websites. After compromising a targeted account, the adversary used an OAuth token to a legitimate application, such as Thunderbird, according to researchers. In some instances, the attackers generated an app password via IMAP. The group has targeted Gmail, Hotmail and Yahoo accounts.
The UAE-based threat actors have been focused on Middle East and North African targets, including government organisations, NGOs or education providers. Google GTA researchers have also found the adversary has targeted the Palestinian Fatah party and European-based NGOs focused on Middle East affairs.
The actor uses a custom phishing kit, which includes an automated web browser suite called Selenium. This group is also linked to the original H-Worm developers, the subjects of a 2014 Microsoft lawsuit.
Websites and domains linked to these threat actors have been added to safe browsing. The CyberCrime Investigation Group has shared information and indicators of compromise with law enforcement.