This stealthy hacker-for-hire group is using phishing, malicious apps and zero-day attacks against its victims

Researchers at BlackBerry describe Bahamut as a mercenary hacking group behind a "staggering" number of sophisticated campaigns.
Written by Danny Palmer, Senior Writer

An extensive cyber-espionage operation by a hacker-for-hire group that uses phishing, social engineering, malicious apps, custom malware and zero-day attacks has been secretly targeting governments, private industry and individuals for years in what's described as a diverse, patient and elusive hacking enterprise.

Dubbed Bahamut, the mercenary hacking group has been carrying out extensive operations against targets around the world in multi-pronged attacks that have been detailed by cybersecurity researchers at BlackBerry. The campaigns appear to have been operating since at least 2016.

"The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut is staggering," said Eric Milam, VP of research operations at BlackBerry.

"Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic AV evasion tactics, and more."

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

Bahamut's ability to call upon zero-day exploits – software vulnerabilities that are unknown to the vendor of the product – puts it up there with some of the most powerful hacking operations around.

However, BlackBerry researchers note that the use of malware is often only a last resort for Bahamut, because malware can leave evidence of attacks behind and that the group prefers to use social engineering and phishing attacks as a primary means of secretly breaching the network of a target organisation with the aid of stolen credentials.

In some cases, Bahamut has been known to observe targets for a year or more before finally striking at what's perceived to be the best time.

One of the ways Bahamut has been compromising targets is with a network of fake, but painstakingly well-crafted websites, applications and even entire personas. All of this is designed to be tailored towards potential targets in order to gain a better idea of what sort of news stories they're interested in – and might click links about – in order to eventually serve up a phishing or malware attack.

For example, in one case Bahamut took over the real domain for what was once a real technology and information security website and used it to push out articles on geopolitics, research and industry news, complete with author profiles. While the authors used fake personas, they used pictures of real journalists.

Such was the convincing nature of the specially crafted websites, an article from one of them was featured as a legitimate source in an industry news alert by Ireland's National Cyber Security Centre in 2019.

In addition to malware and social engineering, Bahamut also employs the use of malicious mobile applications for both iPhone and Android users. The apps came with official looking websites and privacy policies, helping them look legitimate to both users and app stores. In each case, the apps were custom designed to appeal to certain groups and users of a certain language.

By installing one of the malicious apps – the full list of which is detailed in the BlackBerry paper – the user is installing a backdoor into their device that the attackers can use to monitor all the activity of the victims, such as the ability to read their messages, listen to their calls, monitor their location and other espionage activity.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

Researchers note that while the apps are well designed and stealthy, analysis of how they're configured means they can be traced back to Bahamut – because while the hacker-for-hire group is extremely sophisticated, the people doing the work are still capable of making errors.

"For a group that historically set themselves apart by employing above average operational security and extremely skilled technical capabilities, Bahamut operators are, at the end of the day, still human. While their mistakes have been few, they have also proven devastating. BlackBerry found that the idiom "old habits die hard" applies to even the most advanced of threat groups," said the report.

Bahamut is believed to still be attempting to conduct active campaigns and the mercenary nature of the group means that potentially any high-profile organisation or individual could end up a target. BlackBerry says it has attempted to alert as many of the individual, government and corporate targets of Bahamut as possible.


Editorial standards