Canada's Citizen Lab laboratory has uncovered a hacks-for-hire phishing operation targeting anyone from political activists and oligarchs to lawyers and CEOs that hit more than 10,000 email inboxes over seven years.
The North American outfit claims to have traced the so-called Dark Basin campaign to an Indian firm called BellTroX InfoTech Services - which denies all wrongdoing. The University of Toronto institution said the campaign "likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy."
In a detailed post explaining how it had identified and tracked down BellTroX director Sumit Gupta, Citizen Lab accused him of targeting journalists, politicians, political activists and others who "were often on only one side of a contested legal proceeding, advocacy issue, or business deal."
Some targets were phished with emails that "impersonated individuals involved in the #ExxonKnew advocacy campaign or individuals involved in litigation against ExxonMobil, such as legal counsel," Citizen Lab claimed.
The Reuters newswire, which co-published the investigation with Citizen Lab, also doorstepped Gupta and took photos of him. He denied all wrongdoing. BellTroX's website is offline with a message saying "this account has been suspended" when The Register checked it to ask the company for comment.
NSO Group bloke charged with $50m theft of government malwareREAD MORE
Gupta's alleged operation was uncovered in part because phishing emails sent by BellTroX were all sent within usual office hours for India's GMT +5.30 timezone, Citizen Lab claimed. The URL-shortening service it allegedly used to disguise its phishing links (an open-source suite called Phurl) "had names associated with India: Holi, Rongali, and Pochanchi," it added. Targets' email addresses were revealed when Citizen Lab enumerated the full-length URLs.
More obviously, Citizen Lab claimed, BellTroX employees "left copies of their phishing kit source code available openly online, as well as log files showing testing activity," which confirmed the Indian link. The report added that some log files had contained successful connections from Indian broadband providers. Other alleged tactics included fakes of Gmail, Facebook, Yahoo! Mail and other popular services' login pages.
Citizen Lab also linked BellTroX with oil multinational ExxonMobil, highlighting how BellTroX had targeted activist organisations that used the Twitter hashtag #ExxonKnows. The hashtag and linked campaign was closely associated with US state attorneys general launching lawsuits against Exxon alleging (as Greenpeace put it) the oil company publicly played down the threat of global warming while privately treating it as a serious threat to business.
ExxonMobil vehemently denies this, accusing activists of using spurious litigation to blackmail the oil company into a payoff.
Hacking for hire is nothing new. In 2017, a Kazakhstani man pleaded guilty to 47 counts of hacking Gmail and Yahoo! accounts, allegedly unaware that a Russian spy agency was behind his pay cheques. He was later jailed for five years. Last year a Briton was jailed for DDoSing an African telco on behalf of one of its commercial rivals.
A wildcard hack-whoever-you-like operation masquerading as an infosec company to deter casual investigation seems like a novel development, however. ®