At CyberWarCon on Tuesday, Reuters reporters Christopher Bing and Raphael Satter presented new details into an ongoing investigation into hack-and-leak-as-a-service being offered by Indian and Gulf-state businesses, often to clients looking to impact private sector civil litigation.
Hack-and-leak operations are often associated with nation-states, such as Russia's leak of Democratic Party officials' emails to interfere with the 2016 election. But it is not just nations who can value from controlling media narratives.
In fact, said Bing and Satter, after conducting hundreds of interviews with victims, obtaining leaked files and conducting extensive research, several non-governmental groups are leveraging commercial hacking services to damage their rivals.
"Over the course of the last two years or so, we've interviewed over 300 people that are in this camp and asked the question: 'What was happening in your life when you were targeted by these hackers? What does this email mean to you because this particular subject line?" And over and over and over again, they described it they were in the middle of the litigation at the time that happened," said Bing.
Over the course of their investigations, Bing and Satter have obtained an 80,000-record archive of attacks from one commercial service involved in hack-and-leak-for-hire, giving them unprecedented visibility into how one firm conducts its campaigns. The records were provided from a service provider working with that contractor.
Satter and Bing found that the clients of the firms involved in hack-and-leak-for-hire tend to come either from the West or Gulf states. Victims are concentrated in the U.S. and Europe, with a second tier of targets in South America.
Many of the companies offering services operated IT security firms as a legitimate cover, including BellTroX, who were identified last year as a hack-for-hire firm by Citizen Lab at the University of Toronto. And many of the companies, including BellTroX, had connections to Allin Security, said Bing and Satter, which was first accused of being a hack-for-hire group in 2013.
The hack-and-leak-as-a-service firms (HALaaS) are not particularly strong at operational security, and have been tied to illicit code dumps in the past. Bing and Satter traced the firms to their advertisements in investigator forums, where the HALaaS operators advertised as legitimate litigation assistance services. Several former employees of those firms had resumes on LinkedIn and job sites that mentioned email interception and other hacking job experience.
The leaking component of the operation involves dumping access to files and emails onto anonymous WordPress sites which can then be leveraged by other groups. In one prominent case mentioned by the Reuters reporters, a victim was sued for the contents of their emails only a month after the emails were leaked.
Victims, their friends, lawyers and families, face a full-court press of well-formatted phishing emails to gain access.
It appears from the documents that the cost of these campaigns can be as high as $1 million.
The reporters ended their talk challenging researchers to consider private actors in attributions for traditionally nation-state-oriented activities.
"We want to turn it over to the audience because when you guys discover [the next operation] down the line, I don't just want to you to say, oh, you know, it's Russia, or North Korea or or even India," said Satter.
