For more than five years, a group of cyber mercenaries has seemingly gone unnoticed, successfully hacking into high-profile targets, according to new research from Trend Micro.
In a briefing paper published last week, Feike Hacquebord, senior threat researcher at Trend Micro, details the activities of the group he dubbed Void Balaur. These activities consisted mainly of cyber espionage and data theft in several countries. If the hackers mainly used attacks of phishing classics and “seemingly simple” malware such as Z*Stealer and DroidWatcher, they still managed to claim more than 3,500 victims.
Trend Micro is the first to give a more complete picture of this group of cybermercenaries, which it suspects has been active since 2015. But Amnesty International and Deflect Labs had already published elements, in 2020 for the first and 2019 for the second; both reported on incidents in Uzbekistan against journalists and civil rights activists.
After a year-long investigation, Trend Micro researchers discovered that the range of targets was much wider, including Russian medical insurance organizations and in vitro fertilization clinics, ATM manufacturers and mobile telecom operators. According to Feike Hacquebord, the medical targets are not surprising because of the amounts of money and personal information involved.
Although the group includes a mischievous Russian-speaking actor known by the pseudonym Rockethack, Feike Hacquebord considers it unlikely that Void Balaur is a group directly linked to a state. With the targets spread across multiple countries, including Russia, Trend Micro attributes these activities to cyber mercenaries.
For attacks on Uzbekistan-linked media and civil rights activists, which began in 2016, Trend Micro researchers found that a customer was able to purchase the services of the mercenary group even before that the latter does not begin to actively advertise on the forums frequented by cybercriminals: “It shows that Void Balaur is committed to long-term campaigns, which we’ve seen for other targets as well,” says Feike Hacquebord.
Perhaps even more concerning is Void Balaur’s primary goal: “Void Balaur preys on the most private and personal data of businesses and individuals, then sells it to whoever will pay for it.”
Trend Micro has not determined how the group managed to “gather such a wide range of information, especially with regard to telecommunications data”. With these, Void Balaur could sell phone call details with geolocation data that could reveal who called who, when, for how long, from where. Analysts suspect that telecommunications engineers, or even the operator systems themselves, have been compromised.
Feike Hacquebord told our colleagues at SearchSecurity (TechTarget Group) that it is difficult to calculate the group’s exact success rate, but he added that the customer feedback he has observed on underground forums is very positive.
For him, this success is particularly linked to the use of social engineering: he has not observed the use of new vulnerabilities, zero day, but mainly studied the group’s phishing campaigns. Its summary document mentions the use of hacking email accounts of email and social media providers. In some cases, Feike Hacquebord found that Void Balaur could “deliver full copies of stolen mailboxes without any user interaction for a higher price”.
In a blog post, Trend Micro points out that “this last point is particularly interesting because it would take unusual circumstances, such as internal complicity or the compromise of an email provider’s system, to be able to offer private data without interaction with the user”.
Feike Hacquebord noted another characteristic of Void Balaur: patience. The group can concentrate on a target for a very long time. But according to him, there are also times when Void Balaur wasn’t targeting anyone. Which could help explain its stealthiness.
Besides, uncovering the details of Void Balaur was not an easy task for Trend Micro researchers. Initially, they were informed by a longtime target of PawnStormanother name for the Russian cyber espionage group Fancy Bear. The target’s wife received a dozen phishing emails to her Gmail account. With no Fancy Bear indicators, Trend Micro was able to establish a connection to the cybermercenary group.
However, according to Feike Hacquebord, the only elements collected by Trend Micro during the first six months were only four to five indicators. It is a long surveillance work that has made it possible to go further, and in particular to discover targets among the publisher’s customers.
“But we weren’t able to go beyond that to get really in-depth information,” Feike Hacquebord told SearchSecurity.
It was in the fall of 2020 that things broke down: “In October of last year, someone used a client’s device to access dashboards used by Void Balaur to send e-mails in order to add targets, to delete them, to consult the traces of activity, to test phishing links. And then in December, they started again. They weren’t protected by any apps, so we could access them as well.”
With greater knowledge of Void Balaur, Trend Micro has determined that the group has the tools and resources to attack “high profile targets”.
The publisher urges companies to implement detection and protection measures against Void Balaur. In addition to practical measures such as two-factor authorization, deleting old messages and encrypting the hard drives of all machines, Feike Hacquebord points out that Trend Micro lists more than 4,000 technical markers, which companies can download.