Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
06:10 PM
Connect Directly

Hacker-for-Hire Group Spied on More Than 3,500 Targets in 18 Months

Russian-speaking "Void Balaur" group's victims include politicians, dissidents, human rights activists, doctors, and journalists, security vendor discloses at Black Hat Europe 2021.

A Russian-speaking hacker-for-hire group has been quietly spying on thousands of individuals and organizations worldwide and selling highly private information about them to various customers, motivated by financial gain and by politically driven agendas.

Researchers from Trend Micro who have been tracking the cyber-mercenary group's activities have called it Void Balaur after a legendary multiheaded creature in Eastern European folklore. In a report at the Black Hat Europe 2021 conference this week, the researchers described the group as being active likely as early as September 2015.

Void Balaur's services have included breaking into and stealing data from email accounts and acquiring and selling a wide range of sensitive personal data belonging to targeted individuals. Information that the group has acquired and sold to its customers includes passport details, SMS messages, phone call records (including cell tower log data), caller information and location, information about purchased tickets for plane and train rides across borders, traffic camera shorts, Interpol records, and credit reports.

Targets have included politicians, human rights activists, dissidents, scientists, doctors, journalists, and engineers. Trend Micro's research shows that over a period of 18 months, Void Balaur has stolen data from more than 3,500 targets, some of whom experienced long-lasting and repeated attacks. Among the victims were politicians in Uzbekistan and Belarus as well as other countries, including Ukraine, Russia, Norway, France, Italy, and Armenia.

Trend Micro said it had been able to link the threat actor to attacks in Uzbekistan that Amnesty International had reported on last year as having a serious impact on the lives of some individuals in that country. Some victims felt so threatened by Void Balaur's activities that they left their country and went into exile in other countries, Trend Micro said.

"We consider Void Balaur as a cyber mercenary that can be potentially hired by anyone," says Feike Hacquebord, senior threat researcher at Trend Micro and author of the Trend Micro report. The targets of Void Balaur are varied, he says. "A target could be a local shop in Moscow, a fashion designer in New York, a high-profile journalist, a medical doctor in Ukraine, a veterinary scientist in India, a medical scientist in Brazil, a military mercenary in South Africa, or a politician who saw no other option than go into exile abroad."

Hacquebord says that Trend Micro has been unable to identify the threat group's customers. Some of them appear to be members of underground forums — such as Probiv, Darkmoney, and Tenec — that trade in all sorts of stolen data and credentials. However, it's unlikely that these members represent the bulk of the threat group's customers. "Void Balaur [has been] active in underground forums like Probiv [only] since 2018, while we could track activities back to 2015," Hacquebord says. "This shows that prolific customers found their way to Void Balaur, even before they were active in underground forums." 

Group's Tactics, Techniques, and Procedures Are Unclear
Trend Micro researchers have so far been unable to identify exactly how Void Balaur's members have managed to access some of the data they have made available for sale over the past few years. For example, while in some instances the group appears to have accessed email accounts via credential phishing and using zero-click zero-day exploits, in other cases it seems to have managed to acquire copies of mailboxes without any user interaction. Some possible ways they could have done this: by getting key employees at some email providers to knowingly sell the data or by compromising accounts of key employees with access to targeted email mailboxes. Another scenario is that the threat actor managed to compromise the account of law enforcement personnel with legal access to the compromised mailboxes, or that the email provider's systems were breached.

Similarly, it's unclear how Void Balaur has been able obtain sensitive and complete call records with and without cell tower information. Trend Micro theorized that members of the group may have bribed insiders at telecom companies for the data. Another possibility is that the threat actor managed to compromise accounts belonging to key management personnel and engineers at major telecom companies. Data that Trend Micro analyzed, for instance, showed that Void Balaur at various times targeted the deputy director of a Russian telecom company; senior network engineers at telecom companies in the US, UK, and Russia; and the networks of a manufacturer of cellular equipment in Russia and a radio navigation company in the same country.

Other organizations that have been targeted include mobile companies, cellular equipment vendors, satellite communication companies, ATM manufacturers, point-of-sale system vendors, financial companies, and biotechnology firms.

Feedback about the group in underground forums has been uniformly positive, Hacquebord says. Several customers have described Void Balaur as being very quick to deliver information to them. However, some campaigns that Trend Micro has tracked show the group also has been engaged in campaigns that have targeted one specific organization or group of organizations over an extended period.

"For example, for one particular oligarch, we have seen that the CEOs of his companies, his family members, and his board members were targeted over more than one year," Hacquebord says. In one other case, the threat group targeted the former head of an intelligence agency and then later several ministers and parliament members of the government of the same country. A few weeks later, the lawyer of the former intelligence head and even the judge who ruled over an alleged corruption case were targeted as part of the same operation. "In other words, some campaigns are very long and involve multiple targets," Hacquebord says.

For enterprise organizations, the main takeaway is that their employees could well become the target of a cyber mercenary via their private or corporate email accounts. As Void Balaur has demonstrated, such groups can be persistent and attack over a lengthy period. "Defending against a cyber mercenary is both easy and difficult," Hacquebord notes. It's easy when enterprises follow basic cyber-hygiene practices such as using only reputable email providers, using two-factor authentication, implementing end-to-end encryption, and deleting old data and messages that are no longer used.

"However," he adds, "this general advice is not enough to defend against zero-days and cyber mercenaries that are somehow able to get sensitive information [from] service providers."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-25
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
PUBLISHED: 2022-05-25
A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects:...
PUBLISHED: 2022-05-25
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
PUBLISHED: 2022-05-25
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
PUBLISHED: 2022-05-25
kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.