BlackBerry has released new research highlighting the true reach and sophistication of one of the most elusive, patient, and effective publicly known threat actors – BAHAMUT. In the report, BlackBerry researchers link the cyberespionage threat group to a staggering number of ongoing attacks against government officials and industry titans, while also unveiling the group’s vast network of disinformation assets aimed at furthering particular political causes and hampering NGOs.
The report, BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps, provides new insights into the group, and shows how it deployed a vast array of sophisticated disinformation campaigns. BlackBerry’s Research & Intelligence Team found that BAHAMUT currently presides over a significant number of fake news entities – ranging from fraudulent social media personas to the development of entire news websites built to include disinformation – to both further certain causes and to gain information on high value targets.
“The sophistication and sheer scope of malicious activity that our team was able to link to BAHAMUT is staggering,” said Eric Milam, VP, Research Operations at BlackBerry. “Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that BAHAMUT is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.”
The report also highlights increased targeting on mobile devices and how the group has published over a dozen applications in the Google Play and the Apple iOS App Stores, as well as the highly patient approach BAHAMUT takes in compromising their targets. Importantly, despite the range of targets and attacks, the lack of discernable pattern or unifying motive moved BlackBerry to confirm the group is likely acting as Hack-for-Hire mercenaries.
“This is an unusual group in that their operational security is well above average, making them hard to pin down,” Milam added. “They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show an exceptional attention to detail and above all are patient – they have been known to watch their targets and wait for a year or more in some cases.”
Perhaps the most distinctive aspect of BAHAMUT’s tradecraft that BlackBerry discovered is the group’s use of original, painstakingly crafted websites, applications and personas. In at least one example, the group took over the domain of what was originally an information security news website and began pushing out content focused on geopolitics, research, industry news about other hack-for-hire groups, and a list of “contributors” that were fake – but which used the names and photos of real journalists (including local U.S. news anchors) to appear legitimate. In some cases, the ‘news’ outlets BAHAMUT created were also accompanied by social media accounts and other websites to present a veneer of legitimacy.
The report uncovered nine malicious iOS applications available in the Apple App Store and an assortment of Android applications that are directly attributable to BAHAMUT based on configuration and unique network service fingerprints presented. The applications were complete with well-designed websites, privacy policies and written terms of service – often overlooked by threat actors – which helped them bypass safeguards put in place by both Google and Apple.
Those investigated by BlackBerry were determined to be intended for targets in the UAE as downloads were region-locked to the Emirates. Additionally, Ramadan-themed applications as well as those that invoked the Sikh separatist movement indicate that BAHAMUT had intent to target specific religious and political groups.
Named by researchers for the open-source intelligence site Bellingcat, BAHAMUT leverages publicly available tools, imitates other threat groups and changes its tactics frequently, which has made attribution difficult in the past. However, BlackBerry reports with high confidence that the threat group is behind exploits researched by over 20 different security companies and nonprofits under the names EHDEVEL, WINDSHIFT, URPAGE, THE WHITE COMPANY, and most significantly, the unnamed threat group in Kaspersky’s 2016 “InPage zero-day” research.
The report also made other significant observations regarding BAHAMUT, including:
- At least one zero-day developer reflects a skill-level beyond most other known threat actor groups today.
- Use of phishing and credential harvesting is aimed at very precise targets, and concerted and robust reconnaissance operations are conducted on targets prior to attack.
- Clustered targeting in South Asia and the Middle East lends credence to a “hacker for hire” operation.
- A range of tools, tactics and targets suggests the group is well-funded, well-resourced and well-versed in security research.
BlackBerry endeavored to notify as many of the individual, governmental and corporate/nonprofit targets as possible prior to the publication of the report.