Hackers for hire: the rise of the mercenary cyber criminal

A group of hired hackers has engaged in widespread illegal activity against a range of targets, understood to include Indian business executives and Saudi diplomats, in what looks to be a worrying new trend.

According to research published by software specialist BlackBerry Corporation, the group, known publicly as Bahamut (a mythical sea monster of Arab lore) highlights how cybersecurity researchers are increasingly finding evidence of mercenaries online.

BlackBerry’s vice president of research, Eric Milam, said the diversity of Bahamut’s activities was such that he assumed it was working for a range of different clients.

“There’s too many different things going on across too many different ranges and too many different verticals that it would be a single state,” Milam said ahead of the report’s release.

This is not the first time that cyber hired-hackers have come into focus. According to a June report by news agency Reuters, an obscure Indian IT firm called BellTroX offered its hacking services to help clients spy on more than 10,000 email accounts over seven years, including targeting prominent American investors.

Milam declined to comment on who he thought might be behind Bahamut, but he said he hoped the report would help to sharpen the focus on hackers-for-hire.

BlackBerry did not name any of Bahamut’s targets directly, but researchers have previously publicly identified Middle Eastern human rights activists, Pakistani military officials, and Gulf Arab businessmen as being in the group’s crosshairs, according to reports.

“The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut is staggering,” said Eric Milam, vice president, research operations at BlackBerry. “Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns… use of zero-day exploits, and more.”

The report also made other significant observations regarding Bahamut, including:

  • At least one zero-day developer reflects a skill-level beyond most other known threat actor groups today
  • Use of phishing and credential harvesting is aimed at very precise targets, and concerted and robust reconnaissance operations are conducted on targets prior to attack
  • Clustered targeting in South Asia and the Middle East lends credence to a “hacker for hire” operation
  • A range of tools, tactics and targets suggests the group is well-funded, well-resourced and well-versed in security research

The full report can be accessed here: http://www.blackberry.com/bahamut-report