- Google Threat Analysis Group (TAG) exposed hack-for-hire groups operating in Russia, India and the United Arab Emirates (UAE), in a blog post released Thursday.
- Hack-for-hire adversaries, which focus on exfiltrating data and on compromising accounts, conduct corporate espionage and target high risk users, including human rights organizations, political activists, journalists and others operating in sensitive online spaces.
- Hack-for-hire groups often work with third-party investigative services or other outside contractors.
Hack-for-hire groups use various methods to pursue their targets, with some openly advertising their services, while other groups solicit business with a more select group of potential clients, according to researchers.
TAG tracked a group of India-based threat actors, some of them with prior experience inside offensive security firms, including Appin and Belltrox. Researchers have linked the former employees to a new firm called Rebsec, which openly advertises corporate espionage.
One set of actors launched credential phishing campaigns against targets in Saudi Arabia, the UAE and Bahrain, with a particular focus on government, telecom and health care. The activity has focused on compromising Google, Amazon Web Services accounts and in some cases specific government agencies.
The Russia-linked group, known as Void Balaur, was discovered while investigating a 2017 campaign against a journalist. The threat actor was seen targeting other journalists, nongovernmental organizations (NGOs), nonprofits and politicians.
Among the lures used by the attackers include fake Gmail accounts or spoofed Russian government websites. After compromising a targeted account, the adversary used an OAuth token to a legitimate application, such as Thunderbird, according to researchers. Alternatively, the attackers generated an app password via IMAP. The group has targeted Gmail, Hotmail and Yahoo accounts.
The UAE-based threat actors have mainly targeted Middle East and North African targets, including government organizations, NGOs or education providers. The adversary has targeted the Palestinian Fatah party and European-based NGOs focused on Middle East affairs.
The actor uses a custom phishing kit, which includes an automated web browser suite called Selenium. The group is also linked to the original H-Worm developers, the subjects of a 2014 Microsoft lawsuit.
Websites and domains linked to these actors have been added to safe browsing. The CyberCrime Investigation Group has shared information and indicators of compromise with law enforcement.