Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Google Blocks Domains of Hack-for-Hire Groups in Russia, India, UAE

A blog post published by Google’s Threat Analysis Group on Thursday describes the activities of hack-for-hire gangs in Russia, India and the United Arab Emirates.

The internet giant has added more than 30 domains used by these threat groups to its Safe Browsing mechanism, which prevents users from accessing them.

A blog post published by Google’s Threat Analysis Group on Thursday describes the activities of hack-for-hire gangs in Russia, India and the United Arab Emirates.

The internet giant has added more than 30 domains used by these threat groups to its Safe Browsing mechanism, which prevents users from accessing them.

Hack-for-hire groups are often conflated with entities offering surveillance tools. Google has pointed out that surveillance vendors typically provide the tools needed for spying but leave it up to the end user to operate them, while hack-for-hire groups conduct the attacks themselves.

Several hack-for-hire groups have been identified in the past years. Google’s analysis focuses on three groups believed to be operating out of India, Russia and the UAE.

The threat actor linked to India has been tracked by Google since 2012, with some of its members believed to have previously worked for offensive security providers. They now appear to be working for Rebsec, a new company that openly advertises corporate espionage services.

The group has been spotted targeting healthcare, government and telecom organizations in the Middle East, with attempts to phish credentials for AWS, Gmail and government services accounts.

The Russia-linked threat actor, tracked by others as Void Balaur, has targeted journalists, politicians, NGOs and nonprofits, as well as people who appeared to be everyday citizens located in Russia and surrounding countries. These attacks also involved phishing.

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group.

Advertisement. Scroll to continue reading.

This group also had a public website at one point, which it used to advertise social media and email account hacking services.

The UAE group is mostly active in North Africa and the Middle East, mainly targeting government, political and educational organizations. This threat actor also relies on phishing emails, but uses a custom phishing kit, unlike many other groups, which rely on open source phishing frameworks.

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said.

Google believes that Mohammed Benabdellah, an individual sued by Microsoft in 2014 over the development of the H-Worm (njRAT) malware, is linked to the group.

Related: North Korean Threat Actors Acted as Hackers-for-Hire, Says U.S. Government

Related: Hack-for-Hire Group Targets Financial Sector Since 2012

Related: ‘Dark Basin’ Hack-for-Hire Group Targeted Thousands Worldwide

Related: Smoke and Mirrors – Hack-for-Hire Group Builds Fake Online Empire

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.