Delhi firm linked to global hacking scam1 min read . Updated: 10 Jun 2020, 05:56 PM IST
- Among the targeted organizations were US advocacy firms working on climate change and net neutrality
- The group behind these operations, Dark Basin, is allegedly linked to an obscure Delhi-based IT firm, BellTroX InfoTech Services
NEW DELHI : Toronto University-based Citizen Lab has uncovered a global hack-for-hire operation targeting hundreds and thousands of institutions and individuals, including journalists, government officials, CEOs, lawyers and human rights activists. Among targeted organizations were US advocacy firms working on climate change and net neutrality.
The group behind these operations, Dark Basin, is allegedly linked to an obscure Delhi-based IT firm, BellTroX InfoTech Services.
Email queries to BellTroX did not elicit any response till press time. According to a Reuters report, Sumit Gupta, founder, BellTroX InfoTech, has denied any wrongdoing.
Citizen Lab alerted hundreds of individuals and institutions who were targeted by the group and has shared material confirming their targeting with the US Department of Justice (DOJ).
It has also shared technical information unearthed during the investigation with researchers at cybersecurity company NortonLifeLock, who were conducting a parallel investigation into Dark Basin’s operations.
Citizen Lab’s investigation started in 2017 when it was contacted by a journalist who was the target of a phishing attack.
It linked the attack to a custom URL shortener used to mask the phishing links. The shortener was part of a larger network of custom URL shorteners and was used by a single group—Dark Basin.
The shorteners created URLs with sequential shortcodes, which allowed the researchers to enumerate them and identify almost 28,000 more such URLs containing the e-mail addresses of targets.
Using open-source intelligence techniques, Citizen Lab identified hundreds of targeted individuals and organizations.
Further investigation revealed that the timestamps found in phishing emails were consistent with working hours in India’s UTC+5:30 time zone.
Besides, several URL shortening services used by Dark Basin had Indian festival names such as Holi and Rongali, while log files showed that Dark Basin conducted some testing using IP addresses in India.