Yesterday, a new report published by Kitchener-Waterloo’s BlackBerry Limited (NYSE: BB; TSX: BB) linked a known cyberespionage group, BAHAMUT, to an increasing amount of attacks targeting government officials and industry titans and also shed light on broad disinformation campaigns designed to further particular political issues and hamper the efforts of non-governmental organizations.
While high ranking governmental and private sector officials were found to be targeted in India, the Emirates, and Saudi Arabia, BlackBerry’s Research and Intelligence Team found that those advocating for Sikh separatism and human rights supporters in the Middle East were also a focus for BAHAMUT.
“The sophistication and sheer scope of malicious activity that our team was able to link to BAHAMUT is staggering,” said Eric Milam, VP, Research Operations at BlackBerry.
“Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that BAHAMUT is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day explores, anti-forensic/AV evasion tactics and more.”
BAHAMUT, according to BlackBerry, is ultimately difficult to define due to the suspected use of other organizations’ tools and methods. Its campaigns, infrastructure, and tools are kept separate from each other and when exposed, the group learns from its mistakes and its tactics change accordingly.
Its targets were found to be “all over the map” with the organization itself appearing to be well-funded, well-resourced, and well-versed in security research. A lack of pattern or single motive associated with its attacks led BlackBerry to deem the organization as a ‘hack-for-hire’ cyber-espionage mercenary group. BlackBerry did note “with high confidence” that BAHAMUT is the same organization referenced in a number of previous cyber-security research materials under the name of EHDEVEL, WINDSHIFT, URPAGE and THE WHITE COMPANY.
Unique to BAHAMUT is its complicated and overly patient approach used in its operations and attacks.
Over a dozen applications in the Google Play and Apple iOS stores were found to be attributed to BAHAMUT. In addition, BAHAMUT has also built what BlackBerry calls a “Fake News Empire”. The report outlines the discovery of the group’s use of original and detailed websites, applications, and personas to communicate an air of legitimacy when advocating for a particular theme.
One instance profiled in the report outlines that BAHAMUT took over a website domain originally used as an information security website and began publishing materials on geopolitics, research, and industry news about other hack-for-hire organizations. Included were a list of fake contributors but it used the names and likeness of real journalists from around the world, including those located in the United States.
In some cases, these fake news outlets had sister social media accounts and other websites to further appear legitimate.
“This is an unusual group in that their operational security is well above average, making them hard to pin down,” Milam added. “They rely on malware as a last resort, are highly adept at phishing, tend to aim for mobile phones of specific individuals as a way into an organization, show an exceptional attention to detail and above all are patient.”
“They have been known to watch their targets and wait for a year or more.”
This is the latest in a number of wins for BlackBerry on the security front. The company has always been seen as a leader in IT security. BlackBerry is also said to be releasing a new phone in 2021. US company Onward Mobility has licensed the BlackBerry name and has announced that it will work to release a 5G BlackBerry device with a physical keyboard in 2021.
