Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/7/2020
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Bahamut' Threat Group Targets Government & Industry in Middle East

Researchers say the cyber espionage group was involved in several attacks against government officials and businesses in the Middle East and South Asia.

A hack-for-hire cyberespionage group named Bahamut is involved in advanced attacks targeting government officials and organizations with sophisticated credential harvesting attacks and phishing campaigns, new Windows malware samples, zero-day exploits, and other techniques.

BlackBerry researchers who have been tracking Bahamut say the group is politically motivated and has a wide range of targets. The group has historically targeted people and entities in South Asia, particularly India and Pakistan, as well as the Middle East, primarily the UAE and Qatar. Its interests remain concentrated in South Asia and the Persian Gulf, researchers report.

Related Content:

NSA & FBI Disclose New Russian Cyberespionage Malware

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

In its latest writeup, the BlackBerry team builds on research published in 2018 that references a group called "The White Company," explains vice president of research operations Eric Milam. Through this, they were able to connect more dots and add previous findings from other researchers who have tracked the group's activity. Bahamut, named by researchers with open source intelligence site Bellingcat, has also been called "Ehdevel," Windshift," and Urpage."

Despite its range of targets and attacks, a lack of discernible pattern or unifying motive leads researchers to believe Bahamut is likely acting as hack-for-hire operators. They believe the group has access to one zero-day developer and has leveraged zero-day exploits against multiple targets, "reflecting a skill-level well beyond most other known threat actor groups," researchers state in their report.

"Bahamut executed highly disparate targeting across a number of verticals and geographic regions, [which] suggests a mercenary, hack-for-hire group acting in the interest of multiple sponsors," says Milam. The varied nature of its activity indicates the group is likely for profit; some findings indicate it has dabbled in India's private corporate intelligence market, he says.

While Bahamut's activity in the Middle East has targeted private businesses and individuals, most of its attacks are aimed at government. In Saudi Arabia it went after seven different ministries and other agencies, with a focus on monetary and financial policy. It also targeted the Emirates, Qatar, Bahrain, and Kuwait, with an emphasis on foreign policy and defense.

BlackBerry did not list most of Bahamut's targets by name, though it provided a general list that includes Middle East human rights activists, the Saudi Minister of Energy, Union of Arab Banks, journalists and foreign press in Egypt, Saudi Aramco, and Turkish government officials. 

While attribution is difficult, BlackBerry believes Bahamut is located close to the regions it's operating against and targeting people, businesses, government agencies, human rights groups, and political groups in South Asia and the Gulf, as well as in Europe, Africa, and China.

Inside Bahamut's Advanced Attacks
The group tailored its attacks for each target depending on the victim's preferred operating system and communication medium, Milam says. Its techniques depended on who they were trying to phish. Government officials, for example, were approached through their personal email before attackers tried to hack their work accounts.

"Their tradecraft is exceptional, meaning they truly have planned out each step and understand their capabilities and their targets," Milam says.

Phishing and credential harvesting are aimed at precise targets and fueled by a robust reconnaissance operation. Researchers discovered phishing attempts designed to spoof government agency logins, private email accounts, and account portals from Microsoft Live, Gmail, Apple ID, Yahoo!, Twitter, Facebook, Telegram, OneDrive, and ProtonMail.

Its spear-phishing operations ranged from a few hours to multiple months, depending on the success rates. This rate of change makes real-time detection "all but impossible," researchers state in their report. Bahamut learns from its mistakes: The group monitors for information published about them in the security community. When exposed, it changes its strategy quickly.

Attackers' operational security makes them difficult to track, Milam continues. The group's phishing and malware infrastructure is kept separate and changed weekly – sometimes daily. It's known to reuse tools and infrastructure of other APT groups and builds anti-analysis features into its exploits and shellcode. 

Bahamut often uses publicly available malware, which also impedes attribution efforts, but Milam notes it mostly uses malware as a last resort. Malware can signal an attacker is in the network; the longer malware is on a system, the higher its chances of being detected.

"The attackers were often able to achieve what they wanted [get information] via legitimate credentials for online services," Milam says. "Once they had access to primary email accounts, they could generally watch and gain access to other systems or online portals of interest."

Fake Apps and Fake News
Bahamut's attacks in the Middle East take a broader approach with malicious mobile apps, which researchers say appear to be designed for general audiences. Fake apps targeting South Asia, however, were mostly politically themed and targeted groups such as Sikhs for Justice.

BlackBerry's research uncovered nine malicious iOS applications and several Android apps that experts attribute to the group based on configuration and unique network service fingerprints. The apps came with websites, privacy policies, and terms of service – all things attackers typically overlook – that researchers say helped bypass Apple's and Google's security defenses.

Several of these Android apps were built by different developers. They included an app for recording phone calls, music players, a video player, and an app for notifying Muslims of prayer times during Ramadan. Bahamut used several of its own websites to distribute malicious apps.

Researchers found the apps they investigated were intended for targets in the UAE, as their downloads were restricted to the Emirates. Further, Ramadan-themed apps, as well as those invoking the Sikh separatist movement, indicate intent to target political and religious groups.

Bahamut uses carefully crafted websites to distribute fraudulent news. In one case, attackers took over a cybersecurity website and published articles about research, geopolitics, and news about other hacking groups. This website posted a list of contributors that were fake but used names and photos belonging to real reporters. Some of its fake websites tried to boost their legitimacy with connected social media accounts.

In many cases, targets who read Bahamut's original websites would read original content – no malware, phishing, or malicious links. The operation was designed to tailor websites to their victims' interests and, in doing so, make them appear as real as possible. Bahamut's best interest, the researchers say, was to lure targets into its "vast fake empire."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4626
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) could reveal sensitive information about the internal network to an authenticated user using a specially crafted HTTP request. IBM X-Force ID: 185362.
CVE-2020-4627
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367.
CVE-2020-4696
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.
CVE-2020-4900
PUBLISHED: 2020-11-30
IBM Business Automation Workflow 19.0.0.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 190991.
CVE-2020-4624
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) uses weaker than expected cryptographic algorithms during negotiation could allow an attacker to decrypt sensitive information.