Hacking-for-Hire Growing Bigger, Refined — and Far Too Common

By Nora Macaluso

Hacking-for-hire is becoming a bigger and more sophisticated tool in corporate espionage — and the market for such services is likely to continue, even as reports of high-profile, targeted attacks come to light, experts told Digital Privacy News.

Hacking-for-hire has become “more than just cracking a database and selling the information,” said Robert Siciliano, chief security architect at Protect Now in Boston. “Hacking today is a service, like hiring a lawyer or an accountant.”

Citizen Lab, a Toronto-based research laboratory focused on the intersection of digital technologies, human rights and global security, recently exposed a massive hacking operation targeting individuals and high-profile institutions worldwide.

The organization said its “multi-year investigation” found evidence of “commercial espionage” aimed at “thousands of individuals and organizations on six continents.”

Justice Department Involved

In 2017, a journalist targeted by a phishing attempt approached the group, which determined the effort was part of a larger network of hacks aimed at targets that included politicians, CEOs, government prosecutors and human-rights activists, Citizen Lab said.

“Hacking today is a service, like hiring a lawyer or an accountant.”

Robert Siciliano, Protect Now, Boston.

These individuals allegedly were part of a campaign to prove ExxonMobil knew about and hid information about climate change, its June report said. 

The range of targets, which often represented only one side of an issue or legal proceeding, made it clear that the hacking was done for hire, rather than a state-sponsored effort, the group said.

Citizen Lab, which was formed in 2001, said it turned over its findings to the U.S. Justice Department and notified the individuals and organizations targeted, offering to help them track down the hackers.

The Justice Department, in an email to Digital Privacy News, declined to comment. Citizen Lab did not return requests for comment.

ExxonMobil’s Response

An ExxonMobil spokesperson told Digital Privacy News in a statement that the company had “no knowledge of, or involvement in” the hacking scheme.

“The report’s author, Citizen Lab, receives financial support from well-known anti-fossil fuel groups … which provide funding to environmental activists,” the statement said.

“The report acknowledges the contributions of individuals with a long history of launching media campaigns against ExxonMobil and other energy companies.

“The influence of these special interests is apparent in the content of the report, which contains three pages of inferences and suggestions of potential wrongdoing by ExxonMobil unsupported by any evidence,” the spokesperson continued.

“Yet, the report claims that thousands of individuals and organizations on six continents were targeted by the hackers.”

Dubbed ‘Dark Basin’

The Citizen Lab researchers said in their report that they found the hacking organization, which they dubbed “Dark Basin,” used a network of custom URL shorteners to gain access to targets.

“There’s no one person that does it all.”

Dave Levin, University of Maryland.

The researchers said the hacks were linked “with high confidence” to an Indian company, BellTroX InfoTech Services.

An email to BellTroX seeking comment bounced back to Digital Privacy News as undeliverable.

Citizen Lab said its report would be followed by additional, comprehensive reports about “certain targets and technical indicators.” No follow-up reports have yet been released.

‘Shocked, Not Surprised’

“You have this constant feeling of being shocked, not surprised” by reports of investigations like Citizen Lab’s, Dave Levin, an assistant professor of computer science at the University of Maryland, told Digital Privacy News.  

Protect Now’s Siciliano said: “Hacking-for-hire is a worldwide operation often beyond the reach of law enforcement — and taking them down is a game of whack-a-mole.”

However, digital subterfuge in many ways is just another market, Levin observed.

“Market forces come into play,” he said. “It’s like any other economy,” with supply chains and affiliates specializing in different aspects of hacking, he said. 

Botnets, denial-of-service attacks, and other forms of hacking now involve middlemen and affiliates, each specializing in a different aspect of an attack, Levin said.

“There’s no one person that does it all,” he told Digital Privacy News. “There’s not even one team finding all the vulnerabilities, figuring out the exploits, taking over,” he said.

‘Penetration Testers’

As in any sophisticated, mature economy, niche markets emerge, and it becomes harder to track specific players in the ecosystem, Levin said. 

Legitimate hackers — “penetration testers”— look for vulnerabilities in a network, in some cases conning individuals into divulging information that gives them access, Siciliano said. 

With so many players, often in different countries, it’s hard for law enforcement and tech sleuths to track down hackers — or prove who hired them.

“We just can’t prove who hired them.”

Eva Galperin, Electronic Frontier Foundation.

A company’s public relations department or agency, for instance, may hire a firm that does crisis management, and part of that campaign may include hiring another, less-reputable company to conduct a phishing campaign, said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF).

“It’s definitely illegal,” Galperin told Digital Privacy News. “We just can’t prove who hired them.”

Maryland’s Levin added: “I’m sure if you dig really deep, at most one would probably uncover that a company hired someone they thought was legitimate five hops down the chain.”

Many More ‘Bad Guys’

In the case of “Dark Basin,” the organization’s “employees or executives are unlikely to be within the jurisdiction” of local law enforcement, adding to the difficulty for individuals seeking to track down the source of the phishing attack, the Citizen Lab report said. 

“There are several more ‘bad guys’ than there are law-enforcement officers to stop them,” Siciliano said. 

The best way to guard against hacking is, not surprisingly, human vigilance, experts told Digital Privacy News.

Using such tools as two-factor authentication and checking to make sure websites are legitimate before clicking on links may avert disaster — but those are extra steps people don’t often take, even though they’re aware of the risks, Galperin said.

According to Siciliano: “The talents hackers have, have been around for 15-to-20 or more years.

“Now, there is more of a market” for those talents — and “people are definitely falling for the same old tricks, which are spun with new angles,” he said.

“Hackers,” EFF’s Galperin said, “don’t need to be more sophisticated.”

Nora Macaluso is a Philadelphia-based writer.

Sources (external links):