Researchers have uncovered a hacker-for-hire group that for years has offered a slew of services, from hacking into corporate email inboxes or social media accounts, to selling victims' sensitive data.
The Russian-speaking threat actor, which calls itself "Rockethack," and is tracked by researchers with Trend Micro as Void Balaur, has been selling its services on Russian-speaking underground forums like Provib since at least 2017. During the course of a year-long investigation into the threat group by Trend Micro researchers, the group racked up more than 3,500 victims worldwide, from a Belarus presidential candidate targeted in September 2020, to more than 50 employees of over 20 Russian IVF clinics targeted between May 2020 and April 2021.
"We were able to uncover more than 3,500 potential victims of this cyber-mercenary, and those are mostly in Russia and other countries in Eastern Europe, but it also extends to other regions of the world, like Europe and the U.S.," said Feike Hacquebord, senior threat researcher with Trend Micro.
Researchers were first alerted to the threat group in March 2020, when someone previously targeted by APT28 alerted them that his wife, who works as a scientist, had received a dozen phishing emails to her Gmail account. Though APT28 has previously targeted the spouses of their victims, researchers said that the phishing emails did not fit the modus operandi of the APT. Upon further investigation, they found a (now defunct) domain belonging to Void Balaur, allowing them to learn more about the threat group.
A Diverse Set of Services
Void Balaur's services include hacking into targets' emails and social media accounts. As of March 2021, the prices for these services started at $138 for Mail.ru accounts, going up to $550 for Gmail accounts, $413 for corporate accounts and all the way up to $2,064 for Telegram accounts. The threat group also sells the sensitive data of its targets, including passport details and SMS messages. For individual victims this type of data could be extremely specific, such as criminal records (with a price tag starting at $21), banking service data (like account balance and account statements) and phone call records with cell tower locations (offered for $826).
“The telecom data that Void Balaur is peddling includes phone call records with cell tower locations that could reveal who a person has been calling, the duration of the calls, and the approximate location where the calls were made,” according to researchers. “Knowledge of these details could serve several purposes, including committing serious crimes."
The threat group also appears to target many organizations that are likely to have access to highly sensitive data on people, including mobile companies and cellular equipment vendors, radio and satellite communication companies and ATM machine vendors. Researchers believe this may indicate a future expansion of the group’s current business offerings as it continues to collect more widespread information.
The threat group utilizes malware against targeted victims, including ZStealer, which steals credentials from instant messaging software, File Transfer Protocol and Secure Shell software, various email clients and browsers. The malware additionally has cryptocurrency-wallet stealing capabilities relating to Electrum, MultiBit and Terracoin - which fits into a smaller effort by the cybercriminals to access wallets of various cryptocurrency exchange services since at least 2018, said researchers. The group also leverages DroidWatcher, which is Android malware with several functions, like transferring incoming and outgoing SMS and phone calls logs, recording phone calls and triggering automatic silent updates to victim devices.
The Impact of Cyber-Mercenary Groups
Cyber-mercenary threat groups, such as a group called Dark Basin uncovered in 2020, stand out as they offer an array of hacking services to individuals and governments globally. Researchers said they’re seeing a rise in the use of these types of groups, as highlighted in an October report by the United Nations Office of High Commissioner for Human Rights. While cyber-mercenary groups do not limit themselves to the geopolitical scene, researchers said some countries may not hold the groups accountable as they are viewed as strategic assets, either as part of offensive attacks against crime or targeting foreign assets.
“In theory, these cyber-mercenaries can be used for non-malicious purposes, such as aiding governments in combating terrorism and organized crime,” said researchers. “The truth, however, is that their services end up being used in attacks targeting their client’s opponents.”
Researchers said, defending against cyber-mercenary groups “is not an easy task.” Potential victims can protect themselves through a variety of ways, including the use of multi-factor authentication (MFA) for email and social media accounts, the use of apps with end-to-end encryption, and the use of “robust” email services from a reputable provider.
However, “the reality is that regular internet users cannot easily deter a determined cyber-mercenary,” said researchers. “More than once, media outlets have reported on advanced offensive tools in a cyber-mercenary’s arsenal being used against journalists and human rights activists. Some of these tools include so-called zero-click zero-day exploits, which do not require any user interaction to infect the target with malware.”