Dark Basin and his brothers, the secrets of mercenary hackers

by ARTURO DI CORINTO for La Repubblica of 12 June 2020

The Dark Basin group has attacked environmentalists, journalists and financial realities. But they’re not the only ones who hack for a fee. It is a very crowded market

(La Repubblica)

The Dark Basin hacker group has hit journalists and environmentalists. Iranian cyber-attackers have targeted the Israeli water system and banking Trojans continue to target companies and small savers in Italy as well. But who is behind these attacks? Who are these mercenary hackers? Who pays them? It is a universe still to be discovered.

In recent days the Citizen Lab in Toronto has discovered a vast hacking operation against journalists, activists and financial institutions. They are not just any hackers, but “hacker to hire” and, according to the first reconstructions, they are said to be connected to an Indian security company, BellTroX. Their name is Dark Basin. The cybersecurity company NortonLifeLock (formerly Symantec), who conducted a parallel investigation into the case, called them “Mercenary.Amanda” and attributed about 1800 attacks on 200 distinct targets in the past three years, all listed on Github.

Who are the principals?

Dark Basini’s connections with BellTroX are evident. Meanwhile, BellTroX director Sumit Gupta has been indicted in California after an FBI investigation into a very similar story of hackers renting for email phishing campaigns; the time stamp of the emails is compatible with Indian working hours as discovered by the Electronic Frontier Foundation in a campaign aimed at supporters of Network Neutrality; the Url shortners, are all Indian. Finally, the hacker team left copies of the source code of their online phishing kit, probably to test it. It is a common practice among criminal hackers to submit malicious code to malware analysis services such as Virus Total to see if they are able to detect it. And if they succeed, they modify it until it becomes invisible. Also among the IPs used by rental hackers at least one was Indian. If that wasn’t enough, among the documents packaged for phishing, the CV of some BellTroX employees shortened with the shortners mentioned above was found. And then, incredible, but true, they published posts on social media that describe all these techniques to advertise and present themselves as ethical hackers and “Certified Ethical Hackers.” With the BellTroX’s slogan: “You desire it, we do it!” But ethical hackers — the real ones — don’t think so at all, on the contrary, they consider this behavior reprehensible.

But who are these mercenary hackers?

There are many types of hackers. Since its birth in the 1960s, the word hacker has taken on many meanings to identify different behaviors attributable to the concept of hacking but it is only on the basis of the purposes pursued that it is possible to distinguish between “ninja hacker” (mercenaries), “hacktivist” (computer activists), “bio-hackers” (those who modify biological and pharmacological molecules) or “growth hackers” (they deal with web marketing). Since the word entered criminological terminology, the connection between white hackers, that is, the good ones, and black ones, the bad ones, has been made by gray hackers, those who can slip from one side of the barricade to the other. An ethical hacker, one who assumes responsible disclosure of software flaws exploitable by criminals, is unlikely to become a thief. The ethical hacker by definition shares what he knows with everyone to favor the common good. In the case of Dark Basin it is believed that they are hired by private investigators and that their end customers are large companies and law firms that act, according to Bloomberg, under the guise of corporate intelligence.

What are their weapons?

Dark Basin’s hacking techniques are mainly based on phishing. The theft of credentials is obtained by using services that shorten the URLs, that is, the addresses of the websites, to bring the victims to clone sites from which to subtract the data of the unfortunate. But the peculiarity, according to the Citizen Lab, would be the detailed knowledge of the target, which is typically acquired with Open source intelligence (Osint) operations, that is, with the collection of information relating to the target from open sources: from media to social networks.

Phishing, doxxing and all other social engineering techniques that exploit the naive trust in others are almost always part of the hackers’ paraphernalia. And then there are the “software exploits”, ie tools used to delete entire databases and interfere with the normal functioning of a PC, up to trojan viruses and spyware to intercept communications and botnets to paralyze websites with DDoS (Distributed Denial of Service) attacks. But it is around the zero-day market, the vulnerabilities of software so called because companies have “zero days” to repair them before the criminals take advantage of it, that they have built real commercial realities. Among these, Zerodium, founded by Chaouki Bekrar, the first company to transform the hacking of the devices we use every day into a legal activity, with different fares for Android, Apple, Windows. Known as the Darth Vader of cyber security he is hated by ethical hackers and loved by authoritarian governments who are among his best customers. Finally, there is a whole galaxy of mercenaries who, as in the case of Iran, are recruited from time to time in universities and private enterprises to conduct APT attacks, that is, the advanced and persistent attacks of paramilitary groups that enter the systems of governments and multinationals to sabotage them.

Bug hunters

Along with hacker-for-hire groups, which have come to the fore with the illegal shops of the Dark Web, now closed, such as Hamsa and Silk Road, a legitimate hacking market is flourishing, and there are numerous communities around the world that dedicate themselves to improve the protection of our countries’ critical infrastructures. One of them is HackerOne, which has a Bug Bounty program, a sort of treasure hunt that rewards those who find flaws in the computer code. Note is the figure of Santiago Lopez, a twenty year old who in exchange for millionaire rewards has identified about 2000 operating flaws thanks to his collaboration with them; or Thomas DeVoss, one of the over five thousand hackers registered with HackerOne who have so far earned more than a million dollars for a few hours a day job.

The Hiver, on the other hand, is the hacker’s marketplace created by an enterprising and ruddy Israeli, Reuven Aronashvili, who, at the request of his customers, tests corporate defense through a sort of collective race. They use a sort of online video game that allows you to break up the task of analyzing bugs and errors by making the hackers participating in the attack work from all over the world in parallel. Those who succeed are paid. From being a marketplace of skills, it has become the gamification platform (or the transformation of a task into a playful activity) of cybersecurity among the most important in the world.

Teacher, journalist, hacktivist. Privacy advocate, copyright critic, free software fan, cybersecurity curious.