Numerously elected as one of the most elusive and sophisticated threat groups, BAHAMUT is now a star of dogged cybercrime researchers.

What motivates hackers for hire? What makes them successful as threat actors? How do they continue to remain elusive yet effective?

One cyberespionage threat group—BAHAMUT—has been investigated in depth due to their staggering number of ongoing attacks against government officials and industry titans.

From the findings, we can now get an inside look at the true reach and sophistication of one of the most elusive, patient, and effective publicly known threat actors and its vast network of disinformation assets aimed at furthering particular political causes and hampering non-governmental organizations. 

Disinformation campaigns

BAHAMUT deploys a vast array of sophisticated disinformation campaigns. Research by BlackBerry  found that the threat group currently presides over a significant number of fake news entities, ranging from fraudulent social media personas to the development of entire news websites built to include disinformation. Their motive: to further certain causes and to gain information on high-value targets.

Said the firm’s Vice President of Research Operations, Eric Milam: “The sophistication and sheer scope of malicious activity that our team was able to link to BAHAMUT is staggering. Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that BAHAMUT is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, zero-day exploits, anti-forensic/AV evasion tactics, and more.”

BAHAMUT has increased targeting of mobile devices and has published over a dozen suspicious applications in the Google Play and the Apple iOS App Stores. The group’s approach to compromising their targets is a model of patience. Importantly, despite the range of targets and attacks, the lack of any discernible pattern or unifying motive confirm that the group is likely acting as mercenary hackers.

“This is an unusual group in that their operational security is well above average, making them hard to pin down,” Milam added. “They rely on malware as a last resort; are highly-adept at phishing; tend to aim for mobile phones of specific individuals as a way into an organization; show an exceptional attention to detail and above all are patient. They have been known to watch their targets and wait for a year or more, in some cases.”

Fake news empires 

Perhaps the most distinctive aspect of BAHAMUT’s tradecraft is its use of original, painstakingly-crafted websites, applications and personas.

In at least one example, the group took over the domain of what was originally an information security news website and began pushing out content focused on geopolitics, research, industry news about other hack-for-hire groups, plus a slew of fake ‘contributors’ using the names and photos of real journalists (including local US news anchors) to appear legitimate.

In some cases, the ‘news’ outlets BAHAMUT created were also accompanied by social media accounts and other websites to present a veneer of legitimacy. 

Malicious mobile apps

Based on configuration and unique network service fingerprints, it has been established that BAHAMUT is responsible for nine malicious iOS applications in the Apple App Store and an assortment of Android applications.

The applications were complete with well-designed websites, privacy policies and written terms of service (often overlooked by threat actors) that helped them bypass Google and Apple’s app market safeguards. 

The apps in question were intended for targets in the United Arab Emirates, because downloads were region-locked. Additionally, Ramadan-themed applications, as well as those that invoked the Sikh separatist movement, indicate that BAHAMUT had intentions to target specific religious and political groups. 

A wiley threat group

By leveraging publicly-available tools, imitating other threat groups and changing its tactics frequently, BAHAMUT has been difficult for researchers to pin down.

However, BlackBerry now reports with high confidence that the threat group is behind exploits researched by over 20 different security companies and non-profits under the names EHDEVEL, WINDSHIFT, URPAGE, THE WHITE COMPANY, and most significantly, the unnamed threat group in Kaspersky’s 2016 ‘InPage zero-day’ research.

Other significant observations of BAHAMUT:

  • It has access to at least one developer whose skills-level is higher than that of most other known threat actor groups today
  • Its phishing and credential-harvesting tactics are aimed at very precise targets, and its launches concerted and robust reconnaissance operations on targets prior to attack
  • Clustered targeting in South Asia and the Middle East lend credence to a ‘hacker for hire’ operation
  • The group is well-funded, well-resourced and well-versed in security research—evidenced by the range of tools, tactics and targets of the group.

In accordance with established protocols, BlackBerry has endeavoured to notify as many of the individual, governmental and corporate/non-profit targets as possible prior to the publication of its BAHAMUT report.