Explaining Void Balaur, a stealthy cyber mercenary group that spies on thousands
- 21 November, 2021 09:15
Over the past several years, many cyber criminal groups have started venturing into the hacker-for-hire business, offering APT-style intrusion and cyber espionage services to whoever is willing to pay.
The latest example of that is a group that researchers have dubbed Void Balaur that has been breaking into the mailboxes, social media accounts and telecommunication records of human rights activists, politicians, business executives and other high-profile individuals across a dozen countries.
The group calls itself Rockethack and advertises its services on Russian-language underground forums where it is highly respected for delivering on its promises to customers and the quality of the extracted information, researchers from security firm Trend Micro said in a recent report analysing the group's activities.
The firm managed to identify over 3,500 victims spanning over a dozen countries and many industry sectors. The group has been advertising its services since at least 2017, but evidence suggests its activities might go as far back as 2015.
"Rockethack has a massive associated intrusion set with thousands of indicators, which we are tracking under the name Void Balaur," the Trend Micro researchers said.
"We chose this name because Balaur is a monstrous multi-headed legendary creature in Eastern European folklore. It is fittingly symbolic for the multiple purposes for which Void Balaur is being hired: spying on a local shop in Moscow, on journalists, human right activists, politicians, scientists, doctors working in a few dozen IVF clinics, genomics and biotechnology companies, telco engineers with deep knowledge of mobile operators’ networks, and business aviation companies.
"Void Balaur also dabbles in corporate espionage, is suspected to be selling data to cybercriminals in order to fight their fellow cybercriminals over disputes and has conducted attacks against cryptocurrency users."
Void Balaur does more than phishing
Like most APT groups, Void Balaur uses highly targeted phishing attacks to compromise individual targets, but there is also evidence it often goes higher up the supply chain to gain access to various services providers directly as well as other companies and organisations that hold sensitive data on many people its customers might be interested in.
While obtaining full copies of mailbox or social media account communications is one of the group's primary offerings, its services extend well beyond that with highly sensitive information that could expose victims to extortion, identity theft, espionage and even put their lives in danger.
Some of the data types sold by the group includes information on:
- Russian and foreign passports
- Marriage certificates
- N1 forms
- Purchased travel tickets where a passport is needed (train, bus, airlines and ferries)
- Border crossing information on individuals
- Data on passengers arriving at Russian airports
- Interpol records; criminal records
- Migrant permits
- Weapon registration information
- Traffic records and camera shots
- Tax service records
- Cadastral information
- Pension fund records
Most of this data is focused on Russia, which suggests the attackers have access to many sources of federal and local government information. How such access or data has been obtained is unclear and could vary from bribing workers in institutions to compromising workers or those institutions that have this access to such data.
The group also offers access to bank account information including account balances, account statements, payment card registration data and primary phone numbers associated with bank accounts.
Void Balaur also has access to highly sensitive telecommunication data such as SMS and phone call records with or without cell tower locations, the active location of phones or SIM cards, and maps where calls were made from.
"Knowledge of these details could serve several purposes, including committing serious crimes," the Trend Micro researcher said. Furthermore, blocking phone numbers, a service that Void Balaur also offers, can help facilitate serious crimes -- for example, by ensuring that someone is unreachable by phone while the crime is taking place.
"The price for getting phone call records with or without cell tower information varies a lot between different Russian providers, up to about a factor of ten. Apparently, getting phone records from some telecom companies is much easier than from others."
Many of the group's targets and data sources are focused on Russia and countries in Russia's sphere of influence (the Commonwealth of Independent States). However, politicians or individuals working in key positions at companies from the US, Israel, Japan and several European countries have also been identified among the victims.
The group was seen targeting a senior manager at a telecommunications company, a deputy director at a telecom provider, various telecom network engineers in US, Russia and Israel, the founder of a mobile virtual network operator based in the UK and Russia, a mobile satellite communications operator, a manufacturer of cellular equipment and several radio navigation companies.
Void Balaur seems to possess deep knowledge about how telecom networks operate, which is evident from the data it's able to offer. It also offers copies of mailboxes from certain email service providers "without user interaction," which means without credential theft through phishing.
Like with telecom networks, the fact that the group can obtain mailboxes without user interaction could suggest a higher level of access into these service providers, the majority of which are Russia based.
While the location of the Void Balaur members is not known, they clearly speak Russian since most of their data sources and victims are from Russia or Russian-speaking countries. Their working hours during the campaigns observed by Trend Micro seems to overlap well with the regular working hours in the Eastern Europe and Western Russia time zones.
It's not common for cyber criminals from the CIS region to target companies and individuals from the region they live in. Malware originating in the region often has checks to avoid computers with the location or language set to Russian to avoid attracting the interest of local law enforcement activities.
The Void Balaur members were seen expressing such concerns after online investigations website Bellingcat used Russian telecom records and flight information data acquired from the same underground forum where the group sells its services to establish potential links between the movement of FSB agents specialised in chemical weapons and the poisoning of Russian opposition leader Alexey Navalny.
The group was concerned the use of data for such investigations will have a negative impact on its business.
Long-term campaigns and political targeting
There is evidence to suggest that Void Balaur also caters to government actors. The Trend Micro researchers believe with medium confidence that Void Balaur is responsible for the attacks against journalists and human-rights activists in Uzbekistan that were documented by eQualitie in 2019 and Amnesty International in 2020.
The group has also targeted politicians from various countries including Uzbekistan, Belarus, Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France and Italy. The targets included diplomats, ministers, members of parliament and even the former head of an intelligence agency.
Some of these were long-term campaigns that saw the targets and sometimes their immediate family members attacked multiple times. Sometimes the scope of the attacks extended beyond just the internet and some of the victims felt so threatened that they left their home countries.
"While Void Balaur advertises in underground forums where criminals gather to do business, its services are not only used for typical cyber crime but for political reasons as well," the Trend Micro researchers said.
"This shows that Void Balaur is knowingly or unknowingly facilitating attacks in which human rights may be violated, a pattern we have also seen in a couple of other campaigns. A significant part of these campaigns look like the work of an APT attacker with long-term goals."
Trend Micro has also observed attacks by the group against more than 25 journalists and media organisations, but they believe the actual number of targeted journalists to be higher.
Even attacks that are financially motivated can be long-term APT-style campaigns. Void Balaur is known to frequently target cryptocurrency accounts, but attacks by the group against one cryptocurrency exchange has spanned several years and targeted both customers and executives through their work and private emails. One of the exchange's employees was even kidnapped for ransom in the past, although it's not clear if this is connected to Void Balaur's activities.
Between September 2020 and August 2021, the group engaged in a sustained campaign against companies from one the most successful Russian commercial conglomerates, targeting board members, directors, executives and their family members.
In its search for access to large sources of sensitive data Void Balaur has targeted organisations and individuals in the following sectors:
- Mobile and core telco companies
- Cellular equipment vendorsR
- Radio and satellite communication companies
- ATM machine vendors
- Point-of-sale (POS) system vendors
- Fintech companies and banks
- Business aviation companies
- Medical insurance organisations
- In vitro fertilisation (IVF) clinics
- Biotechnology companies that offer genetic testing services
While the researchers believe Void Balaur is a group that operates independently, they have observed clear overlap in target selection with Pawn Storm, also known as Fancy Bear or APT28. Pawn Storm is believed to be the cyber espionage unit of Russia's foreign intelligence agency, the GRU.
For example, religious leaders, diplomats and journalists targeted by Pawn Storm in the past have also been targeted by Void Balaur. The cyber mercenary group has a much larger and diverse pool of targets than Pawn Storm which has been mainly focused on espionage, geopolitics and the military, so the overlap could be a coincidence because certain individuals could be interesting targets to different parties at different times due to the nature of their work.
Information stealing malware
In addition to highly targeted phishing, Void Balaur is known to use two malware programs called Z*Stealer and DroidWatcher. Z*Stealer is a Windows Trojan designed to steal stored credentials from applications including instant messaging software, FTP clients, email clients, VNC and RDP remote desktop clients, browsers and local cryptocurrency wallets.
DroidWatcher is an off-the-shelf Android Trojan that can steal SMS messages and call logs, record phone calls, take screenshots and record GPS position periodically, and spy on messaging applications like VK or WhatsApp. The version used by Void Balaur was expanded to better hide itself through rooting exploits and anti-VM mechanisms and supports additional command-and-control and data exfiltration channels including XMPP, Websockets and Twitter.
Defending against Void Balaur
Defending against highly skilled and motivated attackers like government-sponsored cyber espionage groups has never been easy. It requires a high level of security awareness, technical knowledge, and dedication to use a variety of tools and access controls across one's online presence.
Unfortunately, cyber mercenary groups like Void Balaur that offer their services publicly to anyone who is willing to pay makes sophisticated attacks and privacy-invading data leaks affordable to groups of malicious actors who otherwise wouldn't have access to such capabilities.
Considering the wealth of information and deep-level access to telecom companies, online services providers and government databases that Void Balaur has, it's hard to imagine how private individuals could effectively prevent the theft of their sensitive information and communications. Cyber mercenaries don't include only criminal groups like Void Balaur, but also companies that develop and sell offensive tools that are often misused.
Earlier this month, the US Department of Commerce blacklisted two Israeli companies that sell commercial spyware to government and law enforcement agencies, saying their tools "enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent."
"The reality is that regular internet users cannot easily deter a determined cyber mercenary," the Trend Micro researchers said. "More than once, media outlets have reported on advanced offensive tools in a cyber mercenary’s arsenal being used against journalists and human rights activists.
Some of these tools include so-called zero-click zero-day exploits, which do not require any user interaction to infect the target with malware. While these tools might be meant to be used in the fight against terrorism and organised crime, the reality is that they -- knowingly or unknowingly -- end up in the hands of threat actors who use it against unwitting targets."