A Russian-speaking hacker-for-hire group has been quietly spying on thousands of individuals and organizations worldwide and selling highly private information about them to various customers, motivated by financial gain and by politically driven agendas.
Researchers from Trend Micro who have been tracking the cyber-mercenary group's activities have called it Void Balaur after a legendary multiheaded creature in Eastern European folklore. In a report at the Black Hat Europe 2021 conference this week, the researchers described the group as being active likely as early as September 2015.
Void Balaur's services have included breaking into and stealing data from email accounts and acquiring and selling a wide range of sensitive personal data belonging to targeted individuals. Information that the group has acquired and sold to its customers includes passport details, SMS messages, phone call records (including cell tower log data), caller information and location, information about purchased tickets for plane and train rides across borders, traffic camera shorts, Interpol records, and credit reports.
Targets have included politicians, human rights activists, dissidents, scientists, doctors, journalists, and engineers. Trend Micro's research shows that over a period of 18 months, Void Balaur has stolen data from more than 3,500 targets, some of whom experienced long-lasting and repeated attacks. Among the victims were politicians in Uzbekistan and Belarus as well as other countries, including Ukraine, Russia, Norway, France, Italy, and Armenia.
Trend Micro said it had been able to link the threat actor to attacks in Uzbekistan that Amnesty International had reported on last year as having a serious impact on the lives of some individuals in that country. Some victims felt so threatened by Void Balaur's activities that they left their country and went into exile in other countries, Trend Micro said.
"We consider Void Balaur as a cyber mercenary that can be potentially hired by anyone," says Feike Hacquebord, senior threat researcher at Trend Micro and author of the Trend Micro report. The targets of Void Balaur are varied, he says. "A target could be a local shop in Moscow, a fashion designer in New York, a high-profile journalist, a medical doctor in Ukraine, a veterinary scientist in India, a medical scientist in Brazil, a military mercenary in South Africa, or a politician who saw no other option than go into exile abroad."
Hacquebord says that Trend Micro has been unable to identify the threat group's customers. Some of them appear to be members of underground forums — such as Probiv, Darkmoney, and Tenec — that trade in all sorts of stolen data and credentials. However, it's unlikely that these members represent the bulk of the threat group's customers. "Void Balaur [has been] active in underground forums like Probiv [only] since 2018, while we could track activities back to 2015," Hacquebord says. "This shows that prolific customers found their way to Void Balaur, even before they were active in underground forums."
Group's Tactics, Techniques, and Procedures Are Unclear
Trend Micro researchers have so far been unable to identify exactly how Void Balaur's members have managed to access some of the data they have made available for sale over the past few years. For example, while in some instances the group appears to have accessed email accounts via credential phishing and using zero-click zero-day exploits, in other cases it seems to have managed to acquire copies of mailboxes without any user interaction. Some possible ways they could have done this: by getting key employees at some email providers to knowingly sell the data or by compromising accounts of key employees with access to targeted email mailboxes. Another scenario is that the threat actor managed to compromise the account of law enforcement personnel with legal access to the compromised mailboxes, or that the email provider's systems were breached.
Similarly, it's unclear how Void Balaur has been able obtain sensitive and complete call records with and without cell tower information. Trend Micro theorized that members of the group may have bribed insiders at telecom companies for the data. Another possibility is that the threat actor managed to compromise accounts belonging to key management personnel and engineers at major telecom companies. Data that Trend Micro analyzed, for instance, showed that Void Balaur at various times targeted the deputy director of a Russian telecom company; senior network engineers at telecom companies in the US, UK, and Russia; and the networks of a manufacturer of cellular equipment in Russia and a radio navigation company in the same country.
Other organizations that have been targeted include mobile companies, cellular equipment vendors, satellite communication companies, ATM manufacturers, point-of-sale system vendors, financial companies, and biotechnology firms.
Feedback about the group in underground forums has been uniformly positive, Hacquebord says. Several customers have described Void Balaur as being very quick to deliver information to them. However, some campaigns that Trend Micro has tracked show the group also has been engaged in campaigns that have targeted one specific organization or group of organizations over an extended period.
"For example, for one particular oligarch, we have seen that the CEOs of his companies, his family members, and his board members were targeted over more than one year," Hacquebord says. In one other case, the threat group targeted the former head of an intelligence agency and then later several ministers and parliament members of the government of the same country. A few weeks later, the lawyer of the former intelligence head and even the judge who ruled over an alleged corruption case were targeted as part of the same operation. "In other words, some campaigns are very long and involve multiple targets," Hacquebord says.
For enterprise organizations, the main takeaway is that their employees could well become the target of a cyber mercenary via their private or corporate email accounts. As Void Balaur has demonstrated, such groups can be persistent and attack over a lengthy period. "Defending against a cyber mercenary is both easy and difficult," Hacquebord notes. It's easy when enterprises follow basic cyber-hygiene practices such as using only reputable email providers, using two-factor authentication, implementing end-to-end encryption, and deleting old data and messages that are no longer used.
"However," he adds, "this general advice is not enough to defend against zero-days and cyber mercenaries that are somehow able to get sensitive information [from] service providers."