Google TAG Exposes Hack-for-Hire Groups Targeting Activists and Sensitive Data

This audio is generated automatically. Please let us know if you have any feedback.

Dive Summary:

  • Google Threat Analysis Group (TAG) exposed for-hire hacking groups operating in Russia, India and the United Arab Emirates (UAE), in a blog post published on Thursday.
  • Hacking-for-hire adversaries, who focus on data exfiltration and account compromise, conduct corporate espionage activities and target high-risk users, including advocacy organizations rights, political activists, journalists and others operating in sensitive online spaces.
  • Hacking-for-hire groups often work with third-party investigative services or other outside contractors.

Overview of the dive:

Hack-for-hire groups use a variety of methods to pursue their targets, with some openly advertising their services, while other groups solicit business from a more select group of potential customers, researchers say.


TAG tracked a group of India-based threat actors, some of them with previous experience at offensive security companies, including Appin and Belltrox. The researchers linked the former employees to a new company called Rebsec, which openly advertises corporate espionage.

A group of actors launched credential phishing campaigns against targets in Saudi Arabia, the United Arab Emirates and Bahrain, with a focus on government, telecommunications and healthcare. The activity focused on compromising accounts of Google, Amazon Web Services and, in some cases, specific government agencies.

The Russia-linked group, known as Void Balaur, was discovered while investigating a 2017 campaign against a journalist. The threat actor was seen targeting other journalists, non-governmental organizations (NGOs), non-profit organizations and politicians.

Among the decoys used by attackers are fake Gmail accounts or spoofed Russian government websites. After compromising a targeted account, the adversary used an OAuth token for a legitimate application, such as Thunderbird, researchers say. Alternatively, the attackers generated an app password via IMAP. The group targeted Gmail, Hotmail and Yahoo accounts.

UAE-based threat actors have primarily targeted targets in the Middle East and North Africa, including government organizations, NGOs, or education providers. The adversary has targeted the Palestinian Fatah party and European-based NGOs that focus on Middle East affairs.

The actor uses a custom phishing kit, which includes an automated web browser suite called Selenium. The group is also related to the original developers of H-Worm, the subjects of a year 2014 Microsoft lawsuit.

Websites and domains related to these actors have been added to Safe Browsing. The Cybercrime Investigation Group shared information and indicators of compromise with law enforcement.

Leave a Comment