Tucked in a small office at Netaji Subhash Place in Shakurpur area of East Delhi, an obscure IT company BellTroX InfoTech Services has targeted thousands of powerful individuals and organisations on six continents, creating ripples among the powers-that-be.
Although Citizen Lab, a laboratory based at the Munk School of Global Affairs and Public Policy of the University of Toronto which broke the story first, will further provide a comprehensive overview of certain targets and technical indicators in days to come, the ‘hack-for-hire’ firm has created ripples among the advocacy groups and journalists, elected and senior government officials, hedge funds and multiple industries.
How did a small Delhi firm able to execute such a big cyber heist?
Nicknamed ‘Dark Basin,’ the multi-year investigation found that ‘BellTroX’, owned by Sumit Gupta who was indicted in California in 2015 for his role in a similar hack-for-hire scheme, conducted commercial espionage on behalf of their clients against opponents involved in high-profile public events, criminal cases, financial transactions, news stories, and advocacy.
The story goes back to 2017 when a journalist who had been targeted with phishing attempts contacted Citizen Lab and asked if they could investigate.
The research team linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links.
Citizen Lab subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group now called ‘Dark Basin’.
“Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets,” says Citizen Lab.
The team used open source intelligence techniques to identify hundreds of targeted individuals and organizations, yielding several clusters of interest, including two clusters of advocacy organizations in the US working on climate change and net neutrality.
Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue or business deal.
The timings of sending phishing emails were consistent with working hours in India’s time zone.
Additionally, ‘Dark Basin’ left copies of their phishing kit source code available openly online, as well as log files showing testing activity.
The logging code invoked by the phishing kit recorded timestamps in India time zone, and log files show that Dark Basin appeared to conduct some testing using “an IP address in India”.
Citizen Lab collaborated with consumer cybersecurity brand NortonLifeLock and unearthed numerous technical links between the campaigns and individuals associated with BellTroX.
“In at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals. This incident led us to conclude that Dark Basin had some success in gaining access to the email accounts of one or more advocacy groups,” said the report.
BellTroX employees sent phishing emails masquerading as targets’ colleagues and friends. The individuals that Dark Basin chose to target showed that it had a deep knowledge of informal organizational hierarchies (masquerading as individuals with greater authority than the target).
“We concluded that Dark Basin operators were likely provided with detailed instructions not only about whom to target, but what kinds of messages specific targets might be responsive to,” the report noted.
Citizen Lab says they do not have strong evidence pointing to the party commissioning them and is not conclusively attributing Dark Basin’s phishing campaign against these organizations to a particular Dark Basin client at this time.
“That said, the extensive targeting of American nonprofits exercising their first amendment rights is exceptionally troubling,” it added.