A hack-for-hire cyberespionage group named BAHAMUT is reportedly involved in advanced attacks targeting government officials and organisations with sophisticated credential harvesting attacks and phishing campaigns, new Windows malware samples, zero-day exploits, and other techniques.
In a security threat report, BlackBerry researchers link the cyberespionage threat group to a staggering number of ongoing attacks against government officials and industry titans, while also unveiling the group’s vast network of disinformation assets aimed at furthering particular political causes and hampering NGOs.Â
The BlackBerry security team builds on research published in 2018 that references a group called “The White Company,” The report, BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps, provides new insights into the group, and shows how it deployed a vast array of sophisticated disinformation campaigns.
BlackBerry’s Research & Intelligence Team found that BAHAMUT currently presides over a significant number of fake news entities – ranging from fraudulent social media personas to the development of entire news websites built to include disinformation – to both further certain causes and to gain information on high value targets.
“The sophistication and sheer scope of malicious activity that our team was able to link to BAHAMUT is staggering,” said Eric Milam, VP, Research Operations at BlackBerry.
“Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that BAHAMUT is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.”
BlackBerry did not list most of Bahamut’s targets by name, but provided a general list that includes Middle East human rights activists, the Saudi Minister of Energy, Union of Arab Banks, journalists and foreign press in Egypt, Saudi Aramco, and Turkish government officials.Â
BlackBerry’s research uncovered nine malicious iOS applications and several Android apps that experts attribute to the group based on configuration and unique network service fingerprints. The apps came with websites, privacy policies, and terms of service – all things attackers typically overlook – that researchers say helped bypass Apple’s and Google’s security defences.
“This is an unusual group in that their operational security is well above average, making them hard to pin down,” Milam added.
“They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show an exceptional attention to detail and above all are patient – they have been known to watch their targets and wait for a year or more in some cases.”
In some cases, the ‘news’ outlets BAHAMUT created were also accompanied by social media accounts and other websites to present a veneer of legitimacy.Â
The report uncovered nine malicious iOS applications available in the Apple App Store and an assortment of Android applications that are directly attributable to BAHAMUT based on configuration and unique network service fingerprints presented.
The applications were complete with well-designed websites, privacy policies and written terms of service – often overlooked by threat actors – which helped them bypass safeguards put in place by both Google and Apple.Â
Several of these Android apps were built by different developers. They included an app for recording phone calls, music players, a video player, and an app for notifying Muslims of prayer times during Ramadan. Bahamut used several of its own websites to distribute malicious apps.
Those investigated by BlackBerry were determined to be intended for targets in the UAE as downloads were region-locked to the Emirates. Additionally, Ramadan-themed applications as well as those that invoked the Sikh separatist movement indicate that BAHAMUT had intent to target specific religious and political groups.
BAHAMUT Threat Report Additional Key Findings
Named by researchers for the open-source intelligence site Bellingcat, BAHAMUT leverages publicly available tools, imitates other threat groups and changes its tactics frequently, which has made attribution difficult in the past.
However, BlackBerry reports with high confidence that the threat group is behind exploits researched by over 20 different security companies and nonprofits under the names EHDEVEL, WINDSHIFT, URPAGE, THE WHITE COMPANY, and most significantly, the unnamed threat group in Kaspersky’s 2016 “InPage zero-day” research.
The report also made other significant observations regarding BAHAMUT, including:
- At least one zero-day developer reflects a skill-level beyond most other known threat actor groups today
- Use of phishing and credential harvesting is aimed at very precise targets, and concerted and robust reconnaissance operations are conducted on targets prior to attack
- Clustered targeting in South Asia and the Middle East lends credence to a “hacker for hire” operation
- A range of tools, tactics and targets suggests the group is well-funded, well-resourced and well-versed in security research
BlackBerry says it endeavoured to notify as many of the individual, governmental and corporate/non-profit targets as possible prior to the publication of the report.Â
The full report is available to read here.