The latest research of BlackBerry Limited discovered how Bahamut, an elusive and persistent group of threat actors, has been launching attacks against government officials and industry titans, while also unveiling the group’s vast network of disinformation assets aimed at furthering particular political causes and hampering non-profits.
The report “Bahamut: Hack-for-Hire Masters of Phishing, Fake News and Fake Apps” provides new insights into the group, and shows how it deployed a vast array of sophisticated disinformation campaigns. BlackBerry’s Research and Intelligence Team found that Bahamut currently presides over a significant number of fake news entities – ranging from fraudulent social media personas to the development of entire news websites built to include disinformation – to both further certain causes and to gain information on high-value targets.
“The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut are staggering,” said Eric Milam, VP, Research Operations at BlackBerry. “Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.”
The report also highlights increased targeting on mobile devices and how the group has published over a dozen applications in the Google Play and the Apple iOS App Stores, as well as the highly patient approach Bahamut takes in compromising their targets. Importantly, despite the range of targets and attacks, the lack of discernable pattern or unifying motive moved BlackBerry to confirm the group is likely acting as Hack-for-Hire mercenaries.
“This is an unusual group in that their operational security is well above average, making them hard to pin down,” Milam added. “They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show exceptional attention to detail and above all are patient – they have been known to watch their targets and wait for a year or more in some cases.”
Perhaps the most distinctive aspect of Bahamut’s tradecraft that BlackBerry discovered is the group’s use of original, painstakingly crafted websites, applications, and personas. In at least one example, the group took over the domain of what was originally an information security news website and began pushing out content focused on geopolitics, research, industry news about other hack-for-hire groups, and a list of “contributors” that were fake — but which used the names and photos of real journalists (including local U.S. news anchors) to appear legitimate. In some cases, the ‘news’ outlets Bahamut created were also accompanied by social media accounts and other websites to present a veneer of legitimacy.
The report uncovered nine malicious iOS applications available in the Apple App Store and an assortment of Android applications that are directly attributable to Bahamut based on configuration and unique network service fingerprints presented.Tweet
The applications were complete with well-designed websites, privacy policies, and written terms of service – often overlooked by threat actors – which helped them bypass safeguards put in place by both Google and Apple.
Those investigated by BlackBerry were determined to be intended for targets in the United Arab Emirates as downloads were region-locked to the Emirates. Ramadan-themed applications as well as those that invoked the Sikh separatist movement indicate that Bahamut had the intent to target specific religious and political groups.