A hack-for-hire cyberespionage group named Bahamut is involved in advanced attacks targeting government officials and organizations with sophisticated credential harvesting attacks and phishing campaigns, new Windows malware samples, zero-day exploits, and other techniques.
BlackBerry researchers who have been tracking Bahamut say the group is politically motivated and has a wide range of targets. The group has historically targeted people and entities in South Asia, particularly India and Pakistan, as well as the Middle East, primarily the UAE and Qatar. Its interests remain concentrated in South Asia and the Persian Gulf, researchers report.
In its latest writeup, the BlackBerry team builds on research published in 2018 that references a group called "The White Company," explains vice president of research operations Eric Milam. Through this, they were able to connect more dots and add previous findings from other researchers who have tracked the group's activity. Bahamut, named by researchers with open source intelligence site Bellingcat, has also been called "Ehdevel," Windshift," and Urpage."
Despite its range of targets and attacks, a lack of discernible pattern or unifying motive leads researchers to believe Bahamut is likely acting as hack-for-hire operators. They believe the group has access to one zero-day developer and has leveraged zero-day exploits against multiple targets, "reflecting a skill-level well beyond most other known threat actor groups," researchers state in their report.
"Bahamut executed highly disparate targeting across a number of verticals and geographic regions, [which] suggests a mercenary, hack-for-hire group acting in the interest of multiple sponsors," says Milam. The varied nature of its activity indicates the group is likely for profit; some findings indicate it has dabbled in India's private corporate intelligence market, he says.
While Bahamut's activity in the Middle East has targeted private businesses and individuals, most of its attacks are aimed at government. In Saudi Arabia it went after seven different ministries and other agencies, with a focus on monetary and financial policy. It also targeted the Emirates, Qatar, Bahrain, and Kuwait, with an emphasis on foreign policy and defense.
BlackBerry did not list most of Bahamut's targets by name, though it provided a general list that includes Middle East human rights activists, the Saudi Minister of Energy, Union of Arab Banks, journalists and foreign press in Egypt, Saudi Aramco, and Turkish government officials.
While attribution is difficult, BlackBerry believes Bahamut is located close to the regions it's operating against and targeting people, businesses, government agencies, human rights groups, and political groups in South Asia and the Gulf, as well as in Europe, Africa, and China.
Inside Bahamut's Advanced Attacks
The group tailored its attacks for each target depending on the victim's preferred operating system and communication medium, Milam says. Its techniques depended on who they were trying to phish. Government officials, for example, were approached through their personal email before attackers tried to hack their work accounts.
"Their tradecraft is exceptional, meaning they truly have planned out each step and understand their capabilities and their targets," Milam says.
Phishing and credential harvesting are aimed at precise targets and fueled by a robust reconnaissance operation. Researchers discovered phishing attempts designed to spoof government agency logins, private email accounts, and account portals from Microsoft Live, Gmail, Apple ID, Yahoo!, Twitter, Facebook, Telegram, OneDrive, and ProtonMail.
Its spear-phishing operations ranged from a few hours to multiple months, depending on the success rates. This rate of change makes real-time detection "all but impossible," researchers state in their report. Bahamut learns from its mistakes: The group monitors for information published about them in the security community. When exposed, it changes its strategy quickly.
Attackers' operational security makes them difficult to track, Milam continues. The group's phishing and malware infrastructure is kept separate and changed weekly – sometimes daily. It's known to reuse tools and infrastructure of other APT groups and builds anti-analysis features into its exploits and shellcode.
Bahamut often uses publicly available malware, which also impedes attribution efforts, but Milam notes it mostly uses malware as a last resort. Malware can signal an attacker is in the network; the longer malware is on a system, the higher its chances of being detected.
"The attackers were often able to achieve what they wanted [get information] via legitimate credentials for online services," Milam says. "Once they had access to primary email accounts, they could generally watch and gain access to other systems or online portals of interest."
Fake Apps and Fake News
Bahamut's attacks in the Middle East take a broader approach with malicious mobile apps, which researchers say appear to be designed for general audiences. Fake apps targeting South Asia, however, were mostly politically themed and targeted groups such as Sikhs for Justice.
BlackBerry's research uncovered nine malicious iOS applications and several Android apps that experts attribute to the group based on configuration and unique network service fingerprints. The apps came with websites, privacy policies, and terms of service – all things attackers typically overlook – that researchers say helped bypass Apple's and Google's security defenses.
Several of these Android apps were built by different developers. They included an app for recording phone calls, music players, a video player, and an app for notifying Muslims of prayer times during Ramadan. Bahamut used several of its own websites to distribute malicious apps.
Researchers found the apps they investigated were intended for targets in the UAE, as their downloads were restricted to the Emirates. Further, Ramadan-themed apps, as well as those invoking the Sikh separatist movement, indicate intent to target political and religious groups.
Bahamut uses carefully crafted websites to distribute fraudulent news. In one case, attackers took over a cybersecurity website and published articles about research, geopolitics, and news about other hacking groups. This website posted a list of contributors that were fake but used names and photos belonging to real reporters. Some of its fake websites tried to boost their legitimacy with connected social media accounts.
In many cases, targets who read Bahamut's original websites would read original content – no malware, phishing, or malicious links. The operation was designed to tailor websites to their victims' interests and, in doing so, make them appear as real as possible. Bahamut's best interest, the researchers say, was to lure targets into its "vast fake empire."