Google’s Threat Analysis Group (TAG) revealed on Thursday that it had acted to block up to 36 malicious domains operated by hacking groups on behalf of India, Russia and the United Arab Emirates.
In a manner analogous to the surveillance software ecosystem, hacking firms equip their clients with capabilities to perform targeted attacks targeting businesses as well as activists, journalists, politicians and other users. high risk.
Where the two differ is that while customers purchase spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to carry out intrusions on behalf of their clients in order to obscure their role.
“The hack-for-hire landscape is fluid, both in how attackers organize themselves and in the wide range of targets they pursue in a single campaign at the request of disparate clients,” Shane said. Huntley, director of Google TAG, said in a statement.
“Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more quietly by selling to a limited audience.”
A recent campaign launched by an Indian hacking-for-hire operator reportedly targeted an IT company in Cyprus, an educational institution in Nigeria, a fintech company in the Balkans and a trading company in Israel, indicating the extent the victims.
The Indian outfit, which Google TAG said has been tracking since 2012, has been linked to a series of credential phishing attacks in an attempt to harvest login information associated with government agencies, Amazon Web Services (AWS) and Gmail accounts.
The campaign involves sending spear phishing emails containing a malicious link that, when clicked, launches an attacker-controlled phishing page designed to siphon credentials entered by unsuspecting users. Targets included the government, healthcare and telecommunications sectors in Saudi Arabia, the United Arab Emirates and Bahrain.
Google TAG attributed the Indian hack-for-hire players to a company called Rebsec, which according to its inactivity Twitter accountis short for “Rebellion Titles” and is based in the city of Amritsar. The company’s website, down for “maintenance” at the time of writing, also claims to offer corporate espionage services.
A similar set of credential theft attacks targeting European journalists, politicians and nonprofits have been linked to a Russian actor dubbed Void Balaur, a group of cyber mercenaries first documented by Trend Micro in November. 2021.
Over the past five years, the collective has reportedly identified accounts from major webmail providers such as Gmail, Hotmail, and Yahoo! and regional webmail providers like abv.bg, mail.ru, inbox.lv and UKR.net.
Finally, TAG also detailed the activities of a group based in the United Arab Emirates and has ties to the original developers of a remote access Trojan called njRAT (aka H-Ver or Houdini).
Phishing attacks, as previously uncovered by Amnesty International in 2018, involve the use of password reset lures to steal the credentials of targets within government, educational and political organizations in the Middle East and in North Africa.
Following account compromise, the threat actor maintains persistence by granting an OAuth token to a legitimate email application such as Thunderbird, generating an Application Password to access the account via IMAP, or linking the victim’s Gmail account to an account belonging to an adversary on a third-party email provider.
The findings come a week after Google TAG revealed details of an Italian spyware company named RCS Lab, whose ‘Hermit’ hacking tool was used to target Android and iOS users in Italy. and in Kazakhstan.