Researchers discover group of hackers active since 2015
A new group of pirate cyber-mercenaries dubbed “Void Balaur“is linked to a series of cyber espionage and data theft activities targeting thousands of entities as well as human rights activists, politicians and government officials around the world at least since 2015 for financial gain while hiding in the shadows.
Named after a many headed dragon of Romanian folklore, the adversary has unmasked advertising of his services in Russian-speaking underground forums dating back to 2017 and is selling treasures of sensitive information such as cell phone logs, passenger flight records, credit reports, bank details, SMS messages, and passport details. The menacing actor calls himself “Rockethack”.
“This hacker group does not operate in a physical building, nor does it have glossy flyers describing its services,” said Feike Hacquebord, researcher at Trend Micro. noted in a recently published profile of the collective.
âThe group is not trying to get out of a difficult position by justifying its activities, nor is it involved in legal proceedings against anyone who tries to account for its activities. Instead, this group is pretty open about what it’s doing: breaking into email and social media accounts for money, âHacquebord added.
In addition to gaining near-unanimous positive reviews on forums for its ability to deliver quality information, Void Balaur has also reportedly focused on cryptocurrency exchanges by setting up numerous phishing sites to deceive users of cryptocurrency. cryptocurrency exchange in order to gain unauthorized access to their wallets. Additionally, the mercenary collective has deployed an information thief named Z * Stealer and Android malware such as DroidWatcher against their targets.
The Void Balaur intrusion set has been observed deployed versus a wide range of individuals and entities, including journalists, human rights activists, politicians, scientists, doctors working in IVF clinics, genomics and biotechnology companies, and engineers in telecommunications. Trend Micro said it discovered more than 3,500 email addresses the group had set its sights on.
Most of the group’s targets are believed to be located in Russia and other neighboring countries such as Ukraine, Slovakia and Kazakhstan, with victims also located in the United States, Israel, Japan, India and the countries Europeans. Organizations under attack span the gamut from telecom providers, from satellite communications companies and fintech companies to ATM providers, point-of-sale (PoS) providers and biotech companies.
âVoid Balaur attacks the most private and personal data of businesses and individuals, then sells it to anyone who wants to pay for it,â the researchers said. The reason why these individuals and entities were targeted is still unknown.
It is not immediately clear how sensitive telephone and electronic records are acquired from targets without interaction, although researchers suspect that the threat actor could have directly (or indirectly) implicated dishonest insiders in the companies concerned to selling the data or compromising the accounts of key employees with access to targeted mailboxes.
Trend Micro’s in-depth analysis also found common ground with another Russia-based advanced persistent threat group named Pawn Storm (aka APT28, Sofacy, or Iron Twilight), with overlaps seen in targeted email addresses. between the two groups, while differing significantly in several ways, including Void Balaur’s modus operandi of hitting cryptocurrency users and their hours of operation.
If anything, the development once again highlights the unbridled growth of illicit crime mercenary related activities in cyberspace and the demand for such services, with a number of operations – BellTroX (aka Dark Basin), Bahamut, CostaRicto and PowerPepper – which have been exposed as targeting financial institutions and government agencies in recent months.
To defend against hacking attacks, it is recommended to enable two-factor authentication (2FA) through an authenticator app or hardware security key, rely on apps with end-to-end encryption (E2EE) for emails and communications, and to permanently delete old, unwanted messages to mitigate the risk of data exposure.
âThe reality is that regular Internet users cannot easily deter a determined cyber-mercenary,â the researchers concluded. “While [advanced offensive tools in a cyber mercenary’s arsenal] could be intended for use in the fight against terrorism and organized crime, the reality is that they – knowingly or unknowingly – end up in the hands of threat actors who use it against unintentional targets. “