A blog post published by Google’s Threat Analysis Group on Thursday describes the activities of hack-for-hire gangs in Russia, India and the United Arab Emirates.
The internet giant has added more than 30 domains used by these threat groups to its Safe Browsing mechanism, which prevents users from accessing them.
Hack-for-hire groups are often conflated with entities offering surveillance tools. Google has pointed out that surveillance vendors typically provide the tools needed for spying but leave it up to the end user to operate them, while hack-for-hire groups conduct the attacks themselves.
Several hack-for-hire groups have been identified in the past years. Google’s analysis focuses on three groups believed to be operating out of India, Russia and the UAE.
The threat actor linked to India has been tracked by Google since 2012, with some of its members believed to have previously worked for offensive security providers. They now appear to be working for Rebsec, a new company that openly advertises corporate espionage services.
The group has been spotted targeting healthcare, government and telecom organizations in the Middle East, with attempts to phish credentials for AWS, Gmail and government services accounts.
The Russia-linked threat actor, tracked by others as Void Balaur, has targeted journalists, politicians, NGOs and nonprofits, as well as people who appeared to be everyday citizens located in Russia and surrounding countries. These attacks also involved phishing.
“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group.
This group also had a public website at one point, which it used to advertise social media and email account hacking services.
The UAE group is mostly active in North Africa and the Middle East, mainly targeting government, political and educational organizations. This threat actor also relies on phishing emails, but uses a custom phishing kit, unlike many other groups, which rely on open source phishing frameworks.
“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said.
Google believes that Mohammed Benabdellah, an individual sued by Microsoft in 2014 over the development of the H-Worm (njRAT) malware, is linked to the group.