Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Dark Basin: A Massive Hacking-for-Hire Operation

June 11, 2020

No, it's not a movie plot. But no doubt it will be. Thanks to Dave Ries for passing along the information below.

The Dark Basin story was covered by the New York Times and CyberScoop. The underlying report from The Citizen Lab may be found here.

As the New York Times noted, three years ago, several environmental groups noticed that they had been receiving suspicious emails with fake Google News articles and other links related to their climate-change campaign against ExxonMobil. The phishing emails came from accounts that impersonated their own colleagues and lawyers.

These emails resulted in a federal criminal investigation into a very large hacking-for-hire operation that for years has targeted the email accounts of government officials, journalists, banks, environmental activists and other individuals.

Prosecutors are investigating the hackers behind the operation and who engaged them. ExxonMobil has not been accused of any wrongdoing.

All of the above information was released on June 9 in a report by Citizen Lab, a cybersecurity watchdog group at the University of Toronto. The report said that thousands of people on six continents had been targeted by phishing emails for at least four years in the same operation.

Citizen Lab has provided its information to federal prosecutors in Manhattan to assist them in their criminal investigation. The investigation, along with Citizen Lab's findings, reveal a hacker-for-hire industry used by individuals and companies to target the email accounts of those who they regarded as adversaries.

The scale of the operation is massive. The phishing emails were sent to many targets, including government officials, pharmaceutical companies, law firms, hedge funds, banks, nonprofits and even people involved in divorce proceedings. Note here that law firms were specifically mentioned as a target.

Citizen Lab's report concluded with "high confidence" that the operation was carried out by a company in India, which the report said advertised "ethical hacking" services on its website and in social media.

Hacking companies based overseas are frequently hired through a series of intermediaries, such as law firms and private investigators, to mask the ultimate clients and give them plausible deniability, the Citizen Lab report said. Note here that law firms are allegedly involved in the hiring of hacking companies.

The targets of the hacking were often "on one side of a contested legal proceeding, advocacy issue or business deal," suggesting the hackers had been hired by customers seeking to collect information and private emails from their adversaries in criminal cases, financial transactions and other high-profile events, the report said.

The operation is believed to still be active. One of the most troubling findings was that phishing emails had been sent to dozens of journalists in the United States and around the world in what appears to be an attempt to discern their sources.

Citizen Lab, which has helped victims of digital surveillance, began its investigation in 2017 after a journalist received a suspicious email and brought it to the group's attention. Citizen Lab's report said a large group of targets in the hacking campaign were American nonprofit groups that had been fighting publicly with ExxonMobil for years over whether the oil company tried to mislead the public about climate science, which the company has denied.

The targeted organizations included the Rockefeller Family Fund, the Climate Investigations Center and Greenpeace. The report could not say for sure if the hackers had successfully broken into their networks.

A spokesman for ExxonMobil said in a statement that the company "has no knowledge of, or involvement in, the hacking activities outlined in Citizen Lab's report."

From the Citizen Lab report (emphasis added): "Lawyers were heavily represented in Dark Basin targeting. We found targeted individuals in many major US and global law firms. Lawyers working on corporate litigation and financial services were disproportionately represented, with targets in many countries including the US, UK, Israel, France, Belgium, Norway, Switzerland, Iceland, Kenya, and Nigeria."

Citizen Lab gave the name Dark Basin to the hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents.

Beyond the ExxonMobil activities noted above, the report also identifies Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.

The report links Dark Basin with high confidence to an Indian technology company, BellTroX InfoTech Services, and related entities.

The report gave the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, Citizen Lab links Dark Basin to BellTroX InfoTech Services ("BellTroX"), an India-based technology company.

While Citizen Lab initially thought that Dark Basin might be state-sponsored, the targets soon made it clear that Dark Basin was more likely a hack-for-hire operation. Dark Basin's targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal.

BellTroX's director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire operation.

Full details of Citizen Lab's discoveries regarding BelTroX are given in the report. BellTroX and its employees appear to use euphemisms for advertising their services online, including "Ethical Hacking" and "Certified Ethical Hacker." BellTroX's slogan is: "you desire, we do!"

On June 7, Citizen Lab observed that the BellTroX website began serving an error message. It also observed that postings and other materials linking BellTroX to the hacking operations were recently deleted.

Obviously, what struck me was that law firms were clearly targeted, likely some of them successfully. If law firms were involved as alleged in being intermediaries for hiring those operating Dark Basin, that is very disturbing on many levels. I am sure there is much more to come on this story – including the movie I referenced in the beginning of this post. You don't often get handed a ready-made script like this one.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Dark Basin: A Massive Hacking-for-Hire Operation

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer