author photo
By Bruce Sussman
Thu | Nov 18, 2021 | 3:05 PM PST

What comes to mind when you think about a mercenary?

Maybe it is someone racing through the jungle. They sneak up on and kill captors who are standing watch outside a grass hut.

Or perhaps you prefer the city version. A "hitman for hire" eliminates his target with a couple of muffled shots from a gun. The weapon's silencer works its magic and the mercenary disappears like a ghost.

But for threat researcher Feike Hacquebord, it's the ghost in the wires that concerns him most.

He has spent the last 18 months tracking a cyber mercenary group across the Dark Web.

It's a cyber mercenary operation that may have been hired to digitally hunt you down, track your employees, or trick your executives.

"They target a lot of doctors. They are sending phishing emails to target senior engineers working for phone companies, they are targeting banks as well," Hacquebord says.

And according to Hacquebord, they are also going after activists, government leaders, journalists, and more.

"And all of these targets have one thing in common; they have a lot of personal data on people. So my impression is that they're stalking people in advance and that they can sell the information they are getting."

And in some cases, they have sold it already, as digital mercenaries for hire.

This is the story of a cyber mercenary group, dubbed Void Balaur, with victims around the world. Does someone at your organization have a digital target on their back?

Cyber mercenary investigation starts with a phishing attack

As a senior threat researcher at Trend Micro, Feike Hacquebord spends a lot of time on the Dark Web. He's watching and he's analyzing. 

And so he was intrigued when he got a tip from a reporter whose work has appeared on CNN and the BBC. This work sometimes involves coverage of Advanced Persistent Threats (APTs), that is, nation-state linked threat actors.

The journalist told Hacquebord something strange was happening: his wife was suddenly getting targeted phishing emails. The Trend Micro researcher agreed to look into it.

At first, Hacquebord wondered if it was the work of a Russian-linked cyber threat actor that the U.S. government dubbed Pawn Storm. This is a group that he's been tracking for seven years now.  

"Pawn Storm is known to attack the friends and family of the actual people they want to send phishing emails to, of the people they want to hack."

But after investigating the emails to the reporter's wife, Hacquebord realized he was looking at something else. He analyzed URLs, email addresses, and other data points from those original phishing messages and came up with 4,000 indicators he could investigate. 

One of those indicators led him to a cyber mercenary portal he had never seen before. And it contained the mercenary group's motto, which he translated from Russian:

"Money is not the main thing on the free internet. The main thing is the power that belongs to the one who controls the flow of information."

What does this motto mean, in practice?

Time passed. Threat researcher Feike Hacquebord persisted. And then his determination met with opportunity.

He was about to find out what this group, now called Void Balaur, was up to. And he would be able to watch its attacks unfold.

The big break in a cyber mercenary investigation

Remember those indicators that Hacquebord uncovered?

He did more than just analyze them himself. He put them into Trend Mirco's threat research network, as well, to watch for signs this group was launching attacks against Trend Micro customers, or others.

In an anonymous Dark Web world cloaked by encryption, this can take time.

"For six months, I was monitoring this and not much happened. I could see them setting up new IP addresses, maybe a few other details, but I wasn't really satisfied with this."

So he kept searching for something else. He was hoping for a digital chink in the group's cyberattack armor. And then it happened. The Void Balaur group had a slip up in its operational security.

"I got lucky. Because somebody—and I don't know who—was using a VPN system, a shady VPN system... to access one of our customer devices to then access a control panel of Void Balaur."

Jackpot!

"And with this control panel, Void Balaur can add an email address to target, can send emails, can test a phishing URL, or access log files."

And this revealed another slip-up in operational security by the cyber mercenary group. 

"I had a look at the panel, too. And it appeared that it didn't have any authentication. So I could access that panel, as well, and I could just download data from this panel. And we had access to the panel for more than one year. So what was possible for me was to follow their campaigns, more or less in real-time, for more than one year."

Cyber mercenary group: who they are targeting

A clear view of a threat actor's targets for more than a year. Now there is a way to learn about what is happening—and why. 

On our most recent SecureWorld Sessions podcast episode, I asked Hacquebord about the targets of these attacks. 

Like mercenaries in the physical world, the cyber mercenary group scours the globe on behalf of its clients.  Here are a few examples:

"It could be a local shop in Moscow. But it could also be a fashion designer in New York or Amsterdam. It could be a medical doctor, it could be somebody from politics, from the European Parliament. It could be a scientist in India or a reporter. A lot of journalists, actually; I counted like 40 or 50."

Reporters from Russia, Ukraine, the UK, the US, and other places around the world, all targeted by the cyber mercenary group.

And about the doctors being targeted, one specialty stands out: dozens of them perform in vitro fertilization (IVF). The cyber mercenary group has targeted 60 IVF doctors so far.

And he discovered this band of digital mercenaries were part of attacks that made worldwide headlines.

"Amnesty International reported about pretty serious incidents in Uzbekistan. They reported about human rights activists and journalists being sent phishing emails, and also malware. They didn't attribute those incidents, but we do attribute it to Void Balaur. They were not maybe aware that it is this cyber mercenary group who were behind these campaigns."

What is the group looking for as it runs phishing campaigns and data stealing malware? It's looking to uncover and help its paying clients.

Here is a glimpse of what Hacquebord discovered by tracking these attacks and the group's Dark Web ads telling others they were for hire:

"They will hack into email boxes and social media accounts for money. But they will do more than that. They will also sell very personal data to whoever wants to pay for it.

And that includes, for example, phone call records, including cell tower base stations, so that that could reveal where people are and with whom they are having phone call conversations.

They can intercept SMS messages, they can block a phone, and they sell banking data. And many other types of personal data."

Prices vary, by service and campaign, but he believes this group earns millions in revenue. And this group is not the only one.

"There are many more examples of cyber mercenaries. So it's not only Void Balaur that is causing harm. There are just many cyber mercenaries out there."

Cyber mercenary investigation: the podcast and report

To hear more about this cyber mercenary group, its operations, and the larger cyber mercenary marketplace, take a few minutes to listen to our SecureWorld Sessions podcast interview with Feike Hacquebord, Senior Threat Researcher at Trend Micro,.

Read the full report from Trend Micro, "Void Balaur: Tracking a Cybermercenary's Activities."

Comments