Cybersecurity: This prolific hacker-for-hire operation has targeted thousands of victims around the world

Cybersecurity researchers at Trend Micro lift the lid on Void Balaur, a financially motivated cyber-crime group that has targeted politicians, journalists, human rights activists, medical professionals and others since 2015.
Written by Danny Palmer, Senior Writer

A hacker-for-hire operation offered by cyber mercenaries has targeted thousands of individuals and organisations around the world, in a prolific campaign of financially driven attacks that have been ongoing since 2015.

Human rights activists, journalists, politicians, telecommunications engineers and medical doctors are among those who have been targeted by the group, which has been detailed by cybersecurity researchers at Trend Micro. They've dubbed it Void Balaur, after a multi-headed creature from Slavic folklore.

The cyber-mercenary group has been advertising its services on Russian-language forums since 2018. The key services offered are breaking into email and social media accounts, as well as stealing and selling sensitive personal and financial information. The attacks will also occasionally drop information-stealing malware onto devices used by victims.

See also: A winning strategy for cybersecurity (ZDNet special report).

It doesn't appear to matter who the targets are -- as long as those behind the attacks get paid by their contractors. Only a handful of campaigns are run at any one time, but those that are being run command the full attention of Void Balaur for the duration. 

"There will just be a dozen targets a day, usually less. But those targets are high-profile targets -- we found government ministers, members of parliaments, a lot of people from the media and a lot of medical doctors," Feike Hacquebord, senior threat researcher for Trend Micro told ZDNet, speaking ahead of the research being presented at Black Hat Europe.

Some of those targeted include the former head of intelligence and five active members of the government in an unspecified European country.

The individuals and organisations being targeted are spread around the world, spanning North America, Europe, Russia, India and more. Many of the attacks appear to be politically motivated, carried out against people in countries where, if exposed, the victim could have their human rights violated by governments. 

Like other malicious hacking campaigns, the entry point of many Void Balaur campaigns is phishing emails, which are tailored towards the chosen victim. However, the group also claims to offer the ability to gain access to some email accounts without any user interaction at all, offering this service at a premium rate compared with other attacks.

The service relates to several Russian email providers and the research paper notes: "We have no reason to believe that it is not a real business offering".

Some of the campaigns go on for extended periods of time. For example, one targeting an unspecified large conglomerate in Russia was active from at least September 2020 to August 2021 and didn't just target the owner of the businesses, but also their family members, and senior members of all the companies under the same corporate umbrella.

"There's a set of companies owned by one person and his family members were targeted, the CEOs of the companies were being targeted and that all happens over more than one year," said Hacquebord.

The hackers-for-hire target a wide range of victims in many industries at the behest of whoever is hiring their illicit services -- but the key theme is that the targets are almost all organisations and individuals who have access to large amounts of sensitive data.

For example, one campaign has targeted at least 60 IVF doctors. There's a lot of sensitive information involved in healthcare, but there's also a lot of money exchanged, so it's possible the end goal of this particular Void Balaur contract was personal data, financial data, or both.

See also: Don't want to get hacked? Then avoid these three 'exceptionally dangerous' cybersecurity mistakes.

Another campaign targeted senior engineers working for mobile phone companies, predominantly in Russia, but there were also targets in the West. These individuals would be useful to compromise for cyber-espionage campaigns.

"If you're able to compromise these engineers, you might be able to get a foothold in the company. You see the same for banks and fintech -- key people are being targeted. These people have a lot of access to information, it matches the offerings of Void Balaur," said Hacquebord.

Researchers haven't attributed Void Balaur to any one particular country or region, but note that the attackers work long hours, starting around 6am GMT and going through until 7pm GMT. Those working for the group seem to be active seven days a week and rarely take holidays – potentially indicating the vast demand for their services.

"Cyber mercenaries is an unfortunate consequence of today's vast cybercrime economy," said Hacquebord

"Given the insatiable demand for their services and harbouring of some actors by nation-states, they're unlikely to go away anytime soon. The best form of defence is to raise industry awareness of the threat in reports like this one and encourage best practice cybersecurity to help thwart their efforts," he added.

In order to protect against hacking campaigns by cyber mercenaries and other malicious cybercriminals, researchers at Trend Micro recommend using multi-factor authentication to protect email and social media accounts -- and to use an app or physical key rather than a one-time SMS passcode, which could be exploited by attackers.

It's also recommended that people use email services from a reputable provider with high privacy standards and that encryption should be used for as many communications as possible.

More on cybersecurity

Editorial standards