Google TAG unveils the hack-for-hire ecosystems in India, Russia, and UAE. The breadth of targets in those campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets

There are hack-for-hire ecosystems in India, Russia, and the United Arab Emirates. This has been unveiled by Google Threat Analysis Group (TAG) cybersecurity experts, who identified the services offered by cyber mercenaries and the campaigns involving them. For example, recently an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel. Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox. One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain. These credential phishing campaigns have ranged from targeting specific government organizations to AWS accounts to Gmail accounts.

The Russian affairs

TAG cybersecurity researchers discovered also a Russian attacker targeting other journalists, politicians across Europe, and various NGOs and non-profit organizations. But what stuck out during this investigation was the breadth of targeting, which also included individuals that had no affiliation with the selected organizations, and appeared to be regular, everyday citizens in Russia and surrounding countries. This hack-for-hire actor has been publicly referred to as ‘Void Balaur’. These campaigns were similar regardless of target, consisting of a credential phishing email with a link to an attacker-controlled phishing page. The lures ranged from fake Gmail and other webmail provider notifications to messages spoofing Russian government organizations. After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password.

The UAE cyber mercenaries

Finally, TAG is also tracking a hack-for-hire group now based in the United Arab Emirates that is mostly active in the Middle East and North Africa. They have primarily targeted government, education, and political organizations including Middle East focused NGOs in Europe and the Palestinian political party Fatah. Amnesty International has also reported on their campaigns. The group commonly uses Google or OWA password reset lures to steal credentials from targets, often using the MailJet or SendGrid API to send phishing emails. Unlike many hack-for-hire actors that use open source phishing frameworks like Evilginx or GoPhish, this group uses a custom phishing kit that utilizes Selenium, a self described ‘suite of tools for automating web browsers.’ Previously described by Amnesty, this phishing kit has remained under active development over the past five years. After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP. This group also has links to the original developers of H-Worm, also known as njRAT.