Researchers have discovered a hacker-for-hire group called “Void Balaur” which has been linked to strings of cyberespionage and data theft activities targeting politicians, human right activists and government officials since 2015 for financial gain.
The group was only recently unmasked when advertisements of its services was cited in a Russia-speaking underground forum dating all the way back to 2017 as well as sales of large amount of sensitive data like cell tower phone logs, passenger flight records, banking data and SMS messages.
Asides having a good review on the forum for being able to provide quality information, the group is also believed to have focused on cryptocurrenccy exchanges by creating numerous phishing sites tricking cryptocurrency exchange users in order to gain unauthorized access to their wallets.
What’s more, the campaigns have involved the deployment of information stealers and Android spyware such as Z*Stealer and DroidWatcher against its targets. Void Balaur’s intrusion set has been observed deployed against a wide range of individuals and entities, including journalists, human rights activists, politicians, scientists, doctors working in IVF clinics, genomics and biotechnology companies, and telecom engineers. Trend Micro said it unearthed over 3,500 email addresses the group set its aim on.
Targets of the group are said to be located in Russia and other neighboring countries like Slovakia, Ukraine and Kazakhstan with victims located in Isreal, Japan, India and European nations.
“Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it,” the researchers said. The reason why these individuals and entities were targeted remains unknown as yet.
It also still remains unclear how sensitive phone and email records are acquired from targets without interaction although there is suspicions that there could be a rogue insider at the concerned companies to sell the data or by compromising accounts of key employees with access to the targeted email mailboxes.
Trend Micro’s deep-dive analysis has also found some common ground with another Russia-based advanced persistent threat group named Pawn Storm (aka APT28, Sofacy, or Iron Twilight), with overlaps observed in the targeted email addresses between the two groups, while also significantly differing in a number of ways, including Void Balaur’s modus operandi of striking cryptocurrency users and their operational hours.
Safe measures one could put in place to defend against the hacking attacks is to enable two-factor authentication (2FA) via an authenticator app , rely on apps with end-to-end encryption (E2EE) for email communications and permanently delete old and unwanted messages.
Regular internet users cannot easily stop a cyber mercenary who is determined to carry out an evil act. The tools offensive tools in the cyber mercenary’s arsenal might be meant to be used in the fight against terrorism and organized crime however at the dame time could also end up in the hands of threat actors who use it against unwitting targets.