October 09, 2020
The hacking group, known publicly as Bahamut, has targeted Middle Eastern human rights activists, Pakistani military officials, and Gulf Arab businessmen. PHOTO: AFP
WASHINGTON – Saudi diplomats, Sikh separatists and Indian business executives have been among those targeted by a group of hired hackers, according to research published by software firm BlackBerry Corp.
The report on the group, known publicly as Bahamut, the name assigned to the mythical sea monster of Arab lore, highlights how cyber-security researchers are increasingly finding evidence of mercenaries online.
BlackBerry’s vice-president of research, Mr Eric Milam, said the diversity of Bahamut’s activities was such that he assumed it was working for a range of different clients.
“There’s too many different things going on across too many different ranges and too many different verticals that it would be a single state,” Mr Milam said ahead of the report’s release.
In June, Reuters reported on how an obscure Indian IT firm called BellTroX offered its hacking services to help clients spy on more than 10,000 e-mail accounts over seven years, including targeting prominent American investors.
BlackBerry – which absorbed antivirus firm Cylance in 2019 – stitched together digital clues left by other researchers over the years to create a picture of a sophisticated group of hackers.
BlackBerry also linked the group to mobile phone applications in the Apple and Google app stores.
Those apps, which included a fitness tracker and password manager, may have helped the hackers track their targets, the report said.
A Google spokesman said all the apps in the Google Play Store mentioned in the report had been removed.
Apple said two of the seven apps were no longer in its App Store and that it was not provided with enough information about the remaining programs to judge whether they were malicious.
Mr Milam declined to comment on who he thought might be behind Bahamut, but he said he hoped the report would help to sharpen the focus on hackers-for-hire.
Mr Taha Karim, the chief executive of Emirati cyber-security company tephracore – who was not involved in BlackBerry’s research but reviewed the report ahead of publication – said the findings were credible and “they found links that aren’t obvious”.
BlackBerry did not name any of Bahamut’s targets directly, but researchers have previously publicly identified Middle Eastern human rights activists, Pakistani military officials, and Gulf Arab businessmen as being in the group’s crosshairs.
Reuters was also able to identify new targets by cross-referencing data published in BlackBerry’s report with booby-trapped webpages preserved by urlscan.io, a cyber-security tool.
One heavily targeted organisation included the New York-based Sikhs for Justice, a separatist group that’s campaigning for an independent homeland for Sikhs in India.
Its founder, Mr Gurpatwant Singh Pannun, said his campaign websites have been repeatedly hacked and his e-mails broken into.
Others pursued by the hackers included: The United Arab Emirates’ Ministry of Defence; its Supreme Council for National Security; and Mr Shaima Gargash, the Emirates’ No. 2 diplomat in Washington.
In an e-mail, Mr Gargash said the embassy had no comment.
Saudi officials were also targeted by the hackers.
Cached phishing pages preserved by services such as urlscan and reviewed by Reuters showed that the cyberspies targeted Mawthouq, the Saudi government’s e-mail service, half a dozen Saudi government ministries, and the Saudi Centre for International Strategic Partnerships, a Riyadh-based body aimed at helping coordinate the petrostate’s foreign policy.
The Saudi Embassy in Washington declined comment.
The hackers pursued royals and business executives in Bahrain, Kuwait, and Qatar.
In August 2019, they attempted to compromise an employee of major Indian energy conglomerate Reliance Industries around the time that the company was negotiating the sale of a stake in its oil-to-chemicals business to Saudi Aramco.
Reliance did not return repeated messages. Attempts to reach the hackers were unsuccessful.