Darknet Diaries - 79: Dark Basin
Episode Date: November 24, 2020What do you do when you find yourself the target of a massive hacking campaign, and you are getting thousands of phishing emails and someone following you in your car. You might turn to Citiz...en Lab who has the ability to research who is behind this and help bring the hackers to justice.Our guests this episodes are Adam Hulcoop and John Scott-Railton of Citizen Lab. This episode also has an interview with Matthew Earl of Shadowfall.SponsorsSupport for this show comes from LastPass by LogMeIn. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
Good versus evil.
This is something I think about a lot.
And I've come to the conclusion that it's not a fair fight.
The good team has virtues, such as ethics and morals, and tries to do what's right.
But the evil team, by definition, lacks virtues.
They have no problem breaking the law or playing dirty to complete their objectives.
But the good team will uphold the law.
And so if you have an evil hacker in the
world, they're not going to play fair or with morals to accomplish their mission. They're going
to deceive, lie, cheat, threaten, break laws, and be reckless. It doesn't matter what it takes for
them to be successful. And the hackers on the good team don't do that stuff. They're accountable, responsible, honest, considerate,
and strive to have excellence in all that they do. And to me, this means it's not a fair fight.
One side fights dirty and acts in bad faith and can't be trusted, while the other can't fight
like that, since their hands are tied to morals and integrity. But as you get into the weeds, it's
so hard to figure out who's good and who's evil, and what's right and what's wrong. Sometimes you
have to break the law to do what's right. Sometimes good people just don't know they're breaking the
law, because there's so many stupid laws out there that just should be removed. And sometimes there's
good people with good intentions, but their actions have horrible
consequences. There's also people who seem to be evil, but they're just misunderstood. What they're
doing might be controversial or really hard, but they know someone has to do it to make the world
right. But with all that said, I still believe this story is about how a bad company hired an evil group to hack into good people.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com
and enter code darknet at checkout.
That's joindeleteme.com and use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, Thank you. sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a
mission to make Black Hills Information Security world-class in security training. You can learn
things like penetration testing, securing the cloud, breaching the cloud, digital forensics,
and so much more. But get this, the whole thing is pay what you can. Black Hills believes that
great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's Black Hills, I-N-F-O-S-E-C.com.
Blackhillsinfosec.com.
So I'm recording this call to use on the podcast Darknet Diaries.
That's all right with you, correct?
Yes, that's fine.
All right.
So let's start with what's your name and what's your title? My name is Matthew Earle. I'm the
managing partner of Shadowfall Capital and Research. And what is this Shadowfall? So we are
a short-focused firm that looks into companies that are listed that we think are either using
aggressive accounting, sometimes that's using aggressive accounting, sometimes that's
just aggressive accounting, sometimes that's possibly fraudulent practices or unethical
conduct by management, or it might be... So I've never heard of a short-focused firm before and
had to spend some time figuring this out. But basically what Matt does is he looks for companies
that are about to tank in the stock
market and then short that stock, which means if their stock price goes down, Matthew makes money.
And as a short seller, he's got to do his homework into which companies are ripe to be shorted.
Back in 2015, Matthew started watching a German payment company called Wirecard AG. They'd announced that they were going to buy
an Indian company for over 300 million euros, which just didn't seem right. And when I looked
at that acquisition, it didn't look as though it was worth 340 million euros. And so I thought,
that's kind of interesting. And I'll dig a bit more into this company. Matthew was interested because an overvalued buy might mean that Wirecard was misrepresenting
themselves or mismanaging their money or doing something wrong, which makes it a good target
to short the stocks.
As he looked into things, it became obvious.
Oh, this looks like a classic accounting fraud.
To add to that, Wirecard also had a checkered past.
As I looked into the history of the company, there were allegations that had been raised in the past against it, that it was embroiled in money laundering.
These allegations went back a couple years.
German prosecutors investigated Wirecard about money laundering connections to online gambling in the U.S.
They even raided Wirecard's offices,
but didn't come up with anything. Wirecard insisted they weren't doing anything wrong,
but Matthew wasn't convinced. And then when I conducted more research into the company,
I worked out that it seemed as though they'd set up an entire structure, a network of companies
that were used for money laundering purposes.
At this point, Matthew invests in shorting Wirecard, believing that this company's stocks
are going to go down once the truth catches up with the company. He also felt that authorities
and the public needed to know about this, but he wanted to protect himself from backlash.
So he published under an alias, Zatara Research. The report dropped on February
2016. It alleged that Wirecard was deceiving its shareholders, was tied up in money laundering,
and had defrauded Visa and MasterCard. Wirecard didn't like these accusations and pushed back,
saying Zatara's claims were baseless. At this point, things took a bad turn for Matthew Earle,
because in the following months, his Zatara cover got blown.
In December, a document was spread around online
accusing him of criminal insider trading and market manipulation.
It was extremely concerning because obviously very serious allegations
were within the document, again, accusing me of being a criminal,
of falsifying all the research, of being in, colluding with journalists.
Even worse, the document had creepy surveillance photos of Matthew.
There were pictures taken of my house, of myself opening the front door. And it was very clear from
those pictures that the photographs had been taken not in the
winter months of December, but they'd been taken in the summer months. Someone had been watching
Matthew for months, but he was just finding out about it now. This put him on high alert. It
wasn't much later that he noticed a strange car parked on his street. He lived in a cul-de-sac
with only a few houses, so it was easy to spot something out
of place. And suddenly I saw a black Mercedes coupe that parked outside, and there were a couple
of guys that were looking around, and it just seemed unusual. As it happens, because it seemed
so unusual, I took a photo of it, of the vehicle and the license plate, and it was around nine
o'clock in the morning. I was going intoondon later that day and as i was driving up
to the station i noticed that that vehicle suddenly appeared and so i realized that there'd
been there was a car following me not quite certain but then as i got out the car uh to go
to the station i'd realized i'd left my wallet at home. So I turned around and this black Mercedes coupe,
I think he expected me to turn around.
He just kind of froze and was staring at me.
And it was quite obvious that I was being followed at that point.
So I just went straight home.
And I noticed then when I got home that there was another car
where there was a guy sat in there with a camera taking photos as well.
Whoa, this is like a movie.
Matthew called the cops and said to send someone by.
Matthew also called his lawyer, who offered to send an ex-Special Forces guy to come protect Matthew.
But Matthew turned him down.
He wasn't excited that people were watching his house and his family, but he didn't feel like bodily harm was coming his way.
It was just a very odd few days.
And it got weirder.
A couple of days later, two men from an investigative agency called Kroll showed up at his door.
They asked me, they said, are you Matthew Earl?
I said, yes.
They said, you've got a strong interest in Wirecard, haven't you?
I said, well, I've written on the company.
They said, yes, but've written on the company. They
said, yes, but would you like to talk to us about it? And they were quite sinister and quite creepy,
in fact. Matthew didn't want to talk to them about anything. And the two men let him know that they
were there on behalf of Wirecard and gave him a letter. It was from Jones Day, a law firm
representing Wirecard. Matthew says the letter accused him of collusion, conspiracy,
defamation, libel, and market manipulation. And that was just the beginning. The surveillance
and threatening letters continued for months. With the sinister nature of the surveillance,
what's their ultimate intention? Is it to intimidate just from a distance, or is it
to go further beyond that, I guess? Because I can tell you, it's not nice having vehicles parked outside your house
and being followed to the station.
When I drove out with my children in the car, there were vehicles following me then.
We had to have the school have passwords put out with the school
so that when we collected the children from the school,
that those passwords had to be given
so that no strangers could take them. Had to have the police round. They took it so seriously with
the surveillance that our home line was put on rapid response. So if we were to dial 999,
your equivalent of 911, and even just hung up, then the police would automatically send a response vehicle around. It was pretty stressful and frightening, certainly for the first couple of weeks.
So what was the worst part of all this for you?
I think it was the uncertainty as to what they would do,
because obviously they'd gone to the lengths to put me under surveillance, to try to discredit myself.
So it was, well, would they be satisfied with that or would there be anything else that they would, would there be any physical danger?
On top of everything, Matthew started getting these suspicious emails.
They were relentless and they came thick and fast.
I mean, ultimately over, I guess, three years, I received well over 3,000 emails.
He could always tell that there was something a little bit off about these emails,
but they were put together in a pretty convincing way.
He got emails with links that looked like they came from his sister.
He'd get a Dropbox link that supposedly came from his friends and family.
And he'd get links to news articles about Wirecard.
It was astonishing just how much information and detail they had
in order to craft these emails that they were sending to me.
Which surprised Matthew because he didn't feel like he had much of a social media presence.
He was on Twitter but didn't feel like he had much of a social media presence.
He was on Twitter but didn't have Facebook or LinkedIn. Whoever was sending these emails clearly had an understanding as to what subject matters I was interested in, who my friends were,
who my family were. There were so many emails coming in. At one point Matthew was worried that
one of his kids might pick up his phone and play a game and accidentally click on a suspicious link.
It was horrible, very stressful.
And then ultimately, as time passed, it just became very frustrating because you'd think, well, why won't they ever stop?
Just give it a rest, won't they?
And they didn't. That was the thing.
Matthew believes that somehow he didn't click on any of the bad links.
But who was sending these to him?
He knew the Kroll investigators and Jones Day were with Wirecard,
but were these emails from them too?
Matthew showed them to his lawyer.
They were amazed.
They said that the level of sophistication within the emails
was something they thought could almost be state-sponsored.
I mean, they said it was just unbelievable.
It turns out Matthew wasn't the only person on the receiving end of these relentless hacking attempts.
A journalist who had also written about Wirecard were getting these weird emails too.
Matthew told this journalist he's getting the same emails and asked what to do.
And the journalist suggested Matthew send the emails to Citizen Lab in Toronto, Canada.
In the spring of 2017, Matthew got in contact with Citizen Lab and started showing his emails to them.
And by this point, Citizen Lab already had quite a case built on who might be sending these emails.
So I called the researchers at Citizen Lab to get the
story. I'm John Scott-Belton. I'm a senior researcher at the Citizen Lab at the University
of Toronto's Munk School. And with me is... And I'm Adam Holkoop, a research fellow at the Citizen Lab.
Citizen Lab is all about protecting free expression, transparency, and accountability
on the internet. They put a real emphasis on helping defend human rights organizations
and other groups from cyber attacks,
people that might not be able to defend themselves.
John says the primary focus is to understand digital threats against civil society.
So this is like threats against journalists and human rights defenders,
opposition politicians, and so on.
And a big focus of our work is that these groups face the same kind of threats
that are also pointed against governments and industry,
but they usually can't pay for security.
In my mind, you're superheroes because there are people who are desperately in need of help,
and you're just going to help them free of charge.
It's amazing what you do.
It's absolutely an area of need.
You'd be amazed at how many organizations are doing really important work around the globe, but are not really equipped
to protect themselves. They're too busy protecting others. That's what made Matthew Earl a good fit
with Citizen Lab. He was just one guy up against whoever was bombarding him with emails. Citizen
Lab was able to step in and help. Adam says their work is rooted in open source intelligence,
or OSINT. What is your,
what is, I mean, are you a forensics person, a threat intelligence? Like how do you know
these techniques? I mean, I think that's just sort of the, the, that that's the study of, of,
of, you know, computer forensics of these hacking techniques as, as we've been doing this year over
year. And we, you know, you, these are the things you learn. These are the techniques and tricks and investigative steps that you learn
and you share in your community of investigators and with your peers.
Citizen Lab takes their work seriously.
Their research is evidence-based, they're ethical,
and work with the victims to compile evidence and build cases.
They rely on victims sending them suspicious emails or infected machines
and also on publicly available data when building a case.
Citizen Lab's investigation into the hacking group began a bit before they heard from Matthew Earle, a Reuters journalist writing about Wirecard was the first to tip them off.
Someone sent us a ping saying, hey, you know, something weird. I've gotten these strange set of emails and, you know,
something seems wrong. Can you guys take a look at this? John and Adam said it looked like a somewhat convincing phishing email. So this phishing email that you first got, how good was
it? Was it like really good to the point where you would have been tricked or the average person
would have been tricked to clicking it? Or was it kind of lame? I would say it was like the kind of
phishing email
that winds up being statistically effective
against a certain percentage of any basic users.
I mean, Adam, what do you think?
Yeah, it was very convincing.
I would say the majority of the examples that we examined,
they really were copies of notification messages
that everybody gets throughout the know, throughout the course
of using, you know, the internet and communicating with friends and family.
So these emails were meticulously crafted specifically for the target victims.
That much was certain. And it seemed like all of the victims were involved with
researching Wirecard and exposing Wirecard. So the question was, were the hackers within We'll try to answer those questions after the break. Stay with us. This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate
is critical for protecting you and your users from account takeover, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches, successful phishes, or infostealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
The researchers at Citizen Lab got right to work investigating these emails.
They created a sort of sandbox computer, which let them click the link,
a safe place to allow them to what they call detonate the link to see what happens.
And when they clicked it, it took them to a site which asked for their login credentials.
Adam says the page looked pretty legit.
When you click that link, the phishing
site you land on knows who's coming and they can preload that text and preload that screen to make
it look like, you know, you've already been signed into your Gmail, just reenter your password for us.
And that's the goal, to get you to enter your password. If these hackers could get the password
to the victim's email, they would have access to the email and be able to read what that person
was working on and what they're going to do next. And so that was the intention of these phishing
emails. While John and Adam were looking over these emails, they noticed something about the
phishing links. Here's Adam. We took a look at an email and sure enough in there we found
some suspicious links that were shortened using a URL shortener. And that kind of sparked the investigation.
A good example of a URL shortener is tinyurl or bit.ly.
Basically, what they do is take a really long URL,
something that's hard to type or memorize,
and shorten it into something small and tidy.
And when you click on the shortened URL,
it redirects you to the longer URL automatically.
This makes it easier to share.
But if you're a hacker working with long phishing links,
a URL shortener is a way to hide what the actual URL is.
Because you might be hesitant to click on a website,
which is like in another country or has some weird domain,
but people use bit.ly links all the time.
So it's more common for us to see, and therefore we might click on it.
John and Adam started to dig into these shortened URLs used by this hacking group.
We started to, you know, peel them back and take a look.
Okay, where does this shortened URL come from?
Where was it residing?
Fortunately for Citizen Lab, this hacking group didn't use a commercial shortener like Bitly.
They used shorteners created with open source software.
And this particular software conveniently sequenced each shortened URL, which was an amazing find for Adam.
And as we started to look closely and sort of examine this publicly available URL shortener, we learned that, interestingly, you could enumerate
the different short URLs that were generated by this software. And so that's what we did.
We started enumerating through the different short URLs that were already
created and present, hosted on the same shortener, the same site, if you will.
Enumerating meant they could just add one more number to each URL and
see the phishing URLs that the hacking team was sending out. The link shortener software they were
using was easy to step through every shortened URL that was ever made, which gave Adam and the team
a massive amount of information related to this hacking group. They were starting to collect
enough information on this shady hacker group at this point, and they decided to give them a name. Dark Basin was what Citizen Lab named this hacking
group. And so Adam and John and the team at Citizen Lab began walking through all of the shortened
URLs, saving all of these pages to put in a sort of file that they were building on Dark Basin.
We had to actually create scripts that would do this enumeration for us on a continuous basis.
We would wake up in the morning and just be faced with thousands of new fishing links,
like daily for quite a period of time.
Every day we're waking up thousands and thousands of new fishing links.
And just this massive pile of information, to me personally, that was very
exciting in the sense that we knew we were onto something very, very big here with that quantity
of sort of attack telemetry. So that was certainly, I would say, from an investigative standpoint,
the highlight to me. It got us very hooked into the investigation and it really made it clear to
us that there's definitely something worth the effort to uncover here. So emails were sent to victims with phishing links
in them, but now Citizen Lab just uncovered a huge amount of those phishing links. They didn't
have the emails, but they could now see all the websites that they were trying to send victims to.
Websites that looked like logins to a victim's account, but really weren't. Suddenly they were able to see how wide this campaign was by looking through thousands of phishing websites and analyzing them.
But they wanted to take this a step further.
Adam had a plan.
As we started to look at more and more of them, we were seeing that the operators of this shortener had sort of encoded the target's email address into that unshortened
URL. And so this is where it really started to unravel. Yeah, it's always a bonus when the
threat actor provides a mechanism for the list of targets. We just crawled all the shorteners
that we could find. First, the ones that we found in this message, and then others that were
linked to it with infrastructure analysis. John and Adam found almost 30 different URL shorteners used by this Dark Basin hacking group.
They kept enumerating and pulling out long URLs, then extracting target emails. They figured they
could look up some of the targets online, try to uncover who these people were in real life.
Maybe this would shed some light on why they'd been targeted
in the first place, which would lead to more clues about who Dark Basin is. Surprisingly,
their target database grew to thousands of email addresses. While one journalist and Matthew Earl
were the victims that came to them with these emails to begin with, the team at Citizen Lab
were uncovering that hundreds of people were actually being targeted by this same dark basin hacking group.
And they could see that these hackers were targeting unique victims because email addresses of the victims were in the phishing URLs.
Here's John.
This very quickly gave us the sense of kind of like a massive scope of targeting. And we went through the same analytical dance
that I think most organizations do
when they find like a big threat actor,
which is like, oh, this has got to be Russia, right?
Like we found a government actor for sure
because of all the targets.
Because this was such a big hacking campaign,
it meant that whoever did this
had interests in people all over the world
in many different sectors.
And who would do that?
Possibly a nation state actor.
But you can't just say, oh, it's Russia without evidence. It's a decent theory, but we need proof.
So they kept digging, analyzing the targets, building maps and clusters, like where the
targets were in the world and what kind of businesses do they work for? Like, are they
all journalists or do they all work in tech or something like that? Any commonalities between
targets can help paint this picture because then then you start asking, who would have an interest in hacking people like that?
As we expanded out our digging, it became pretty clear that our targets were not just
sort of the bread and butter of a nation state actor. I just say Russia as an example. But
it wasn't just, you know, energy companies. It wasn't just journalists.
It was like people who appeared to be having like semi-public divorces, random people or people who
owned like, you know, two people who owned like a house building company somewhere. It became pretty
clear that because of the kind of sheer variety of the targeting, it didn't make sense for this to be anything other
than a bunch of different targeting requirements coming from very different kinds of players.
And we began getting the sense like, oh, you know what? This doesn't look like a government.
This looks mercenary. Mercenary. That would mean these hackers are for hire. And a bunch of different people all
over the world have hired this hacker group to carry out different objectives. Because they're
seeing so many random targets, it must mean it's coming from a hacker group who takes random jobs
from random people. This was a pretty good assumption. And sometimes you have to start
with an assumption and work backwards to try to see if there's evidence backing it up. So John and Adam started going in this direction. They wanted to figure out who this
hacking group was, what motivated them, and maybe most important, who was hiring them.
That kind of discovery really shaped how we began approaching it, which is we have to then
understand, okay, there are clusters of targets within here who will all be part of the same package that this group was paid to target.
And so we should take these groups and start engaging them, try to figure out why they might have been targeted, who might be behind it.
This meant doing all that open source intelligence gathering, or OSINT for short.
They'd have to crawl the web and do a digital investigation to figure out who the people were that were being targeted and if they were connected to other dark base and targets.
John says it took a lot of work.
A couple of colleagues at the Citizen Lab spent, I don't want to say the best years of their lives,
but they spent a substantial amount of time working with us
to OSINT the shit out of all of these email addresses
to try to figure out who these people were and then to do clustering.
What they were trying to do is figure out
if the targets had anything in common.
Because if they found commonalities,
this could help define who the adversary might be.
As groups of targets started to take shape,
Adam says there was some that bubbled up to the top.
Early in this investigation, I would say,
there was a lot of targeting that was going at these financial clusters
and the short sellers and the people who were investigating Wirecard,
the journalists and so forth.
Basically, everybody who reported on or was critical
of the sort of financial practices of Wirecard
got targeted by this group over years and very extensively. And some of those targets
were in touch with the lab and were helping us track and understand the kinds of things that
were hitting their inboxes. Again, that's the cluster that included that British short seller,
Matthew Earle, and the Reuters journalist to help kick off this investigation.
But John says there's another clue, which really got Citizen Lab's attention early on.
We do sort of an initial set of clustering. We've got clusters who are like in the financial But John says there's another clue, which really got Citizen Labs' attention early on.
We do sort of an initial set of clustering.
We've got clusters who are like in the financial sector.
And we've got clusters who are kind of in politics, a lot of international targets.
And then one group really jumps out. And this is a whole bunch of American environmental NGOs with familiar names like Greenpeace and a bunch of others. Some of these other groups that were being phished were people who were involved with the
Rockefeller Family Fund, the Climate Investigation Center, and the Center for International
Environmental Law.
It wasn't immediately clear why they were all connected. There were a lot of them.
And it seemed to be, in some cases, some very specific people who got really heavily targeted.
And there were people who were kind of one step away connected to them. And from what began as just like desk research,
eventually wound up as like, you know, me hopping on a plane and going and meeting with people and
getting groups of people together to try to figure out why on earth they were all being targeted at
the same time. John went to a conference at this point, which was unrelated to this investigation.
I was at a conference and doing the hallway track where you kind of take a break from the sessions and sitting at a little table.
And this guy and a couple of people sit down at a table and people go around to the introductions and he introduces himself.
And I have this holy smoke moment because he was one of the targets.
John was sitting face to face with one of the people he had been investigating for
quite a while, a victim of this phishing campaign. At a large conference like this, it was just sheer
luck to run into this guy. But John didn't want to say anything in front of everyone at this table.
So John got his business card and then called him up later and things really snowballed from there.
It was from that initial connection that I pulled together meetings with these organizations.
One of the first pieces of feedback that came back was like, oh, we knew something was going on.
We had this feeling.
And some of the organizations had kind of like a memory of getting a lot of weird emails.
Some of the people were sort of like, I feel like I'm under attack.
And what linked them all together is that they were all doing advocacy on a campaign called the Exxon New campaign.
Guess who knew about climate change decades before most people had even heard of it?
Exxon Mobil, one of the world's biggest oil companies.
They knew this from their own research back in 1977.
Ironic, because now they're one of the leading opponents of climate change science. This Exxon New campaign involved a bunch of environmental groups
that alleged that Exxon knew about climate change,
but lied to the public about it.
The gist is that this deception strategy helped Exxon make billions of dollars
while slowing the response to climate change.
Exxon New compares to what Big Tobacco did in the 90s, which was misleading people about the harmful effects climate change. Exxon knew compares to what big tobacco did in the 90s,
which was misleading people about the harmful effects of smoking. And for some reason,
all these environmental groups that were against Exxon were getting phished big time and probably
hacked. For John and Adam, their new acquaintances were a way to get more data on Dark Basin.
They coached them up to look for phishing emails past and present
and put them in a timeline of attacks.
One of the most remarkable things that came out of our digging was that there was like
this private email thread that had made its way into the U.S. press and some articles
that were critical of the campaign, ultimately sort of accusing these organizations of somehow
conspiring to make the oil industry look bad. This email thread had an agenda for an early meeting between Exxon New organizers.
It included people's names and email addresses in the header.
It outlined a group of goals for delegitimizing Exxon, like divestment and potential media campaigns.
And the leak popped up in the news cycle.
And Exxon also posted it to their website with a bunch of information about Exxon New.
They used it as evidence that activists were leveraging the press and public officials to damage the company.
But for John and Adam, the leak was important because of how it matched up with their timeline of dark basin fishing against Exxon New.
What was fascinating is that when we timelined some of that stuff, some of that, we could say, you know, leak flavored product against the fishing, it became clear that there was
like this big wave of fishing that happened and then stopped right before that leaked
material was made public.
They noticed another wave a few months later.
The New York Attorney General, who had launched a years-long investigation into Exxon,
made a court filing that accused Exxon of misleading investors
about how it accounted for climate change risks.
Dark Basin phishing emails rained down on Exxon New members after the filing.
Wirecard and Exxon New offered a ton of
circumstantial evidence that showed that the Dark Basin hacking group was trying to hack the people
who were actively exposing these companies' wrongdoing. But John and Adam found that Dark
Basin went way beyond these two stories. Their spread was massive. They hit government officials,
political candidates, financial firms, pharmaceutical companies,
advocacy groups, and smaller targets like divorce cases.
It's alarming how wide their reach was.
But all this data was being collected by Citizen Lab to try to understand who Dark Basin was.
John and Adam had loads of historical data, and they'd regularly get new stuff rolling in.
The trail was never really cold.
There would be a moment where we'd just be like, oh man, we got nothing.
You know, we're no longer, we have all this retrospective stuff, but we can't track them today.
And then, as often as not, Target would get in touch and say, hey, you know, I just got this email today.
Here you go.
And there would be our next piece of infrastructure, and we would claw back some visibility. Which was important, because John and Adam were still trying to figure out
who was behind Dark Basin and where they were.
We can start kind of with your trying to figure out who's doing this.
Yeah, so this was an interesting challenge for us,
because we got to the mercenary part long before we figured out
who the sort of mercenaries were in this case.
Fortunately, John and Adam had some help with their investigation into these mercenaries,
some additional clues to help guide them.
They collaborated with Norton LifeLock, which is a security application,
and they were also tracking Dark Basin.
But they called this group Mercenary Amanda.
And there was this other report from the Electronic Frontier Foundation.
Back in 2017, EFF had identified an advanced spear phishing campaign that attacked internet freedom advocacy groups.
The attackers sent out legit looking emails asking people to go to Google, Dropbox, and LinkedIn to log in.
And if they did, it would steal their login credentials.
Sounds familiar, right? EFF figured out that whoever was running the attacks was probably working out of an office in a
particular time zone. John says they saw that too. We began spotting all of these different
things that started pointing to a particular player. The first thing that really clued us in
was that the timing of the attacks
appeared to fit the timeframe of India's time zone.
India's a big country, but it only has one time zone,
India Standard Time, which is GMT plus 530.
What John and Adam saw was that the attacks happened within what
would be a typical workday in India. And they also saw that India Standard Time was stamped
into some of Dark Basin's phishing code. But some threat actors put in fake clues to throw people
off. And so it's possible they faked the time zone in the code and purposely were active during business hours in India to hide themselves.
But the Indian connection didn't stop with the time zone.
Adam says the names of the URL shorteners were another clue.
As we tracked these URL shorteners, you know, they were using an open source shortening software.
And that software, one of the things that it had was, you know, a web UI, like a web front end. They had
given them titles and the titles in several cases reflected, you know, things that had cultural
significance in India. A couple were named after important events like Holi and Rangali. Adam says
they came across even more helpful information because Dark Basin didn't do much to cover their
tracks. They left stuff out in the open sometimes. We also were able to collect log files from the credential phishing websites,
right? They just left them there, left them open. In these log files, John and Adam could see Dark
Basin hackers running tests to make sure their phishing code worked. And the IPs running these
tests are from India. But there were other cases where they weren't,
where you'd have a test with a VPN,
and then right away the same link would have been tested again,
but it was actually coming from an Indian-based broadband provider.
This was another piece of the pie.
They had the timestamps, the URL shortener names,
and now IP addresses all linking this to India.
So we had these pieces falling into place that were suggestive.
It's, you know, each piece was another little breadcrumb
suggesting operators working out of India.
To me, at least, all this information Citizen Lab was collecting
from their investigation was really impressive.
I wouldn't have thought to try to enumerate the URL shortener
or even look to see if there were log files visible in the phishing websites.
But with all this information, Citizen Lab now had an idea of where Dark Basin was.
But they were still hunting for the who.
And then we get sort of like the next layer of clues.
John says Dark Basin hackers made some glaring errors when testing their phishing kits. What really caught our attention is that the operators didn't just, you know, kind of do
some tests. Their compartmentation was not great. And where it got really interesting is that in
some cases to test out things, operators would share stuff that might be more personally relevant
to them on the shorteners. See, since the hackers set up this URL shortener, they actually used it to send links between each
other. So in one case, a Dark Basin hacker shared a link with another Dark Basin hacker,
which took them to a shared drive, and that had a resume or a CV there.
And the CV described a bunch of skills and responsibilities like information gathering
about Target, create phishing page and campaign for Target, email investigation, email tracking.
Of all the things a hacker could share to test their phishing kit, these guys shared something
personal. And it was a job description that seemed to look a lot like what Dark Basin hackers were doing.
Because of this CV, Citizen Lab had somebody's name and the name of a company in India they worked for.
John looked the guy up.
The guy, when we looked at him, listed his job description as a penetration tester for a company called Beltrox Infotech Services.
And it didn't end there. We also found another person who also listed his employer as Beltrox Infotech Services posting online on a message board.
This other guy was offering up more than just a job description. He was sharing company secrets,
pulling back the curtains.
And he's like, hey, let me show you this cool technique that I've got. Look at these
swank looking phishing pages that I've generated.
And the screenshots included the infrastructure that belonged to this operation.
These employees were evidence that Beltrox, a company based in New Delhi,
was into phishing and probably hacking too. John and Adam dug deeper.
Beltrox had a web presence and the web presence described them as doing penetration
testing, certified ethical hacking, and also like medical transcription and a couple of other kind
of strange, strange activities. In the marketplace for email compromise, certified ethical hacking
and penetration testing are unfortunately often used as code language for we'll hack in boxes for you.
And we were never able to find out whether they actually did do medical transcription,
but it seemed like kind of a clever front for their real activity.
Was that real activity being Dark Basin a massive hack for hire mercenary outfit?
John says Beltrox left a lot of incriminating info out there in the open.
One of the things that made this investigation possible is that Beltrox left a lot of incriminating info out there in the open. One of the things that made this investigation possible is that Beltrox was noisy and their
people had a lot of stuff that were sort of publicly exposed.
This meant that they would do things like post online.
They had LinkedIn pages with likes and that often described exactly what it was that they
did, like email hacking and penetration.
So the LinkedIn profiles ranged a bit,
but some of the guys looked like they had been at this game for a while and they, you know,
had like profiles, pictures of like hacker types with sunglasses and binary streaming by in the
background and goofy email addresses with 007 in them and offering all kinds of wares. And then
others seemed a bit more professionalized. It was very clear that some of the people who worked at Beltrox were offering
what were clearly illegal services. This wasn't a case of a few bad apples on an otherwise
innocent IT company. Beltrox's history of illicit activities went all the way to the top,
to the guy running the show, Sumit Gupta. John says Sumit Gupta has a history in the hack-for-hire business.
The owner of Beltrox has been indicted and charged
and is currently a fugitive from justice in the U.S.,
but not because of this latest case,
but because there's an earlier set of cases
where he was part of a
group working with American private investigators to do exactly the same kind of activity.
The prior case offers important insight into understanding Sumit Gupta,
the work that Beltrax was doing, and where their clients were coming from.
But to understand this, we've got to turn back the clock to 2012. It's a time before Norton
LifeLock and Citizen Lab were tracking
Dark Basin at all, and before the EFF reported about an advanced spearfishing campaign.
Back in 2012, there were two competing American companies that sold nutritional supplements.
One was named Vysalis, and the other was named Ocean Avenue. Some of Vysalis' distributors had
signed on with Ocean Avenue, so Vaisalis sued, accusing the
distributors of violating a non-compete agreement. Amid the ensuing court battle, Vaisalis hired two
private investigators to look into Ocean Avenue. They wanted information to bolster their case,
but things went a little too far. The private investigators hired hackers to break into Ocean Avenue's computers, which was totally illegal. One of
the hackers was Sumit Gupta. These guys successfully got into Ocean Avenue's computers,
but their operation came unglued. One of the hackers got cold feet and confessed to one of
the targets. This led to a 2015 federal grand jury indictment, which named five members of the scheme
and charged them with 10 counts related to conspiracy, accessing protected computers, and intercepting electronic communications.
Everyone but Sumit, who was believed to be in India, pleaded out. The two PIs and their
Vaisalas contact were sentenced to probation. The hackers who had fessed up actually had a prior
record and were sentenced to three years in prison.
And Sumit's case was turned into a fugitive criminal case.
The FBI got in touch with their New Delhi branch, but Sumit remained at large.
It's been eight years since Sumit was known to be involved in this hack-for-hire scheme with the Vysalis case.
It seems like he's been busy, too.
Sumit has taken this model of working with private investigators to the next level. The PI thing is something John says they saw with Beltracks.
One of the things that we kind of learned pretty quickly is that Beltracks and their people would
kind of openly solicit online. One of the big audiences that they seemed to be targeting was
American and like Western private investigators offering all
kinds of email-based targeting services with, in some cases, coded language, in other cases,
just saying exactly what they would do for you. Their pages had endorsements from like hundreds
of Western private investigators. You know, it doesn't take a very sophisticated person to kind
of feel that there's something off about this company. And so it led to this question, like, why have all these private investigators vouched for this random Indian medical transcription slash penetration testing company? Imagine if a private investigator is hiring a bunch of hackers, they're not going to like splash it all over the place, which is why it was so interesting that private investigators did still feel comfortable vouching for these guys on LinkedIn.
This was a big, loud clue, along with the others, that something wasn't right with this
company, Beltrox.
This supposedly innocent Indian company was up to something.
Although the PI thing kind of makes sense, right?
There's a vast network of professional investigators out there.
Why not tap into their
market and position yourself and services as a go-to tool in their toolbox and forget the legalities?
And it made us think that maybe the kind of practice that Beltroth is engaged in is not
that uncommon in the field of private investigations. And subsequent discussions with private
investigators and others has made it clear that that is the case and that a lot of PIs do
use this kind of service as part of their investigations. And here's something else to
support that. Sumit Gupta has a pod.io profile still up on the internet. He's listed as Sumit
Vishnoy, one of his known aliases, which is also in his court records. His profile says he's with
Beltrox, which is described as a cyber intelligence company.
The clients he's interested in are private investigators, corporate lawyers, corporate investigators, corporate firms, celebrities, and politicians.
There's nothing about medical transcription.
It's pretty clear that he and Beltrox were interested in and hooked in with private investigators.
But what remains unclear is who might have been on the other end of this
client chain? Who hired the PIs? That's hard for Citizen Lab to say.
The challenge for us is to apply the same level of rigor to all of our investigative pieces. And,
you know, there are pieces that can be seen about these groups and pieces that are not
seeable by us. For example, it's very likely the case that anybody who is a big company who hired
Beltrox may have done it through layers. Maybe they hired a law firm, who hired an investigator,
who hired an intermediary, who hired Beltrox. We don't really know. And so it's very hard to make
statements like so-and-so hired so-and-so even. And we want to be careful to get these things right.
Citizen Lab doesn't have hard evidence on somebody like Exxon or Wirecard directly hiring
Beltrax or even having it done through a middleman.
What they can see is that there were all these phishing attacks on sets of targets, and they
have a lot of circumstantial evidence linking those attacks.
You never know for sure when it comes to this.
So all you can say is that you have a high confidence in your
assessment. Our mental model for what goes on is that private investigators hire belt rocks
to gain access to material that could then be used in all sorts of different ways. You know,
it could be leaked to the press. It could be used in a legal dispute to apply leverage. It could be
about figuring out an opposing party strategy in something political.
And indeed, we think we sort of felt evidence of all those things.
When looking at the big picture of this kind of hack for hire scheme,
John says the motivations seem different than other types of attacks.
What this really showed us was that there is a very large industry that does this, and that pretty much wherever you scratch, whatever vertical you're looking at,
a component of the hacking that large organizations and small organizations face is this kind of stuff, which is different than ransomware. It's different than business email
compromise. It's different than CEO fraud. It's just part of the complete breakfast of bad stuff
that may be pointed at an organization. What's different about this from some of those other cases is that the motivations here do not appear to be primarily
financial. They're not trying to get into bank accounts. They're not trying to trigger wire
transfers. They're looking for, in some ways, an even more valuable commodity, which is a
commodity that's directly beneficial to the adversary of a company, which is real different
than kind of
like a parasitic commercial operation trying to steal a bunch of money. In their report, Citizen
Lab calls large-scale hacking operations like Dark Basin a threat to democracy. They say it's a tool
for the powerful and can be used to attack people who can't defend themselves. It's a brazen approach
that really stood out to Adam. He says the way
Beltracks went about their business was shocking. From my perspective, this kind of activity coming
from an organization that, you know, it has a public face, like Beltracks is a company,
they're out there, they're publicly advertising services in and around this sphere. And they're
out there operating completely in the open. And to me, that's just
even more egregious than what we know is out there. For example, on the dark web, we know that
there are contractors and people working piecemeal to selling services of this kind of
hacking email and hacking social media accounts and so forth, sort of onesie, twosie style.
But having a company basically existing in public
and operating like this is sort of especially egregious.
Yeah, to build on what Adam's saying,
there's another problem, which is it doesn't look that different
from some of the other kinds of phishing that companies face,
where they just sort of look at it and they're like,
okay, well, caught this, right?
Caught they're doing business. But the risk behind this is in
some ways a lot greater because it's part of a package of things, right? The targeting here
doesn't end with the successful exploitation of an email. It would end with the successful
use of the information in that email to harm somebody, harm a company, harm reputation,
very different stuff.
But on the kind of initial technical end, it kind of looks the same. You know, we've also
gotten the sense that big platforms are just starting to really come to terms with how bad
the problem is. So, you know, we know that Google earlier this year, for the first time,
in one of their publications from the tag group, started talking about this. We hope to see other big platforms taking these groups seriously
and adding them to their list of threat actors
that need to be constantly tracked and mitigated against.
Keeping tabs on such a big operation takes a lot of committed organizations,
like the Google Threat Analysis Group that John just mentioned.
Yet in the end, a lot of these groups can only go so far
because like Citizen Lab, they're using open source methods.
They can't hack bell trucks to get hard information.
That's illegal.
I think one of the challenges with a group like this, though, is that there's only so much that researchers, whether it's like North Lock or Citizen Lab, we can actually do once we get to that kind of like the front door of an enterprise.
Right. And then maybe the personal postings of people. And so part of what
was very important in this case was that there was a criminal investigation that got kicked off
because those investigations have access to legally authorized resources that we just don't.
And see, this brings us back to the whole good versus evil thing. Adam and John at Citizen Lab
will only investigate this up to what they're legally allowed to do.
And they're not going to break the law to figure this out.
Yet whoever is behind Dark Basin apparently has no problem breaking laws by hacking into their victims' accounts.
I think Dark Basin is evil, but they're just the weapon here.
Whoever is hiring them is the real villain here, right?
But when you break down good and evil, things turn gray really fast. Because suppose Wirecard or Exxon did hire Dark Basin to spy on journalists and
activists, the executives in those companies probably saw the journalists and activists
as being the evil people trying to wreck the company. So the decision makers were trying to
protect the company they worked for, because in their eyes, the company is great and worth fighting for. And there's a lot of
shareholders who also believe in the company. I don't know. I'm trying to find a way that the
evil side has an out here, but I'm struggling. I just don't see that whoever hired Dark Basin
to hack people's accounts was acting in good faith or had any morals or integrity.
Because if I saw activists or journalists exposing crimes my company committed and I felt that my company was great and worth fighting for,
I think the right thing to do would be to investigate the crimes and to put a stop to them.
Repair what was done wrong and not silence the news about it or threaten people just so I could keep getting
away with breaking the law? At the request of some of the targets they were working with,
Citizen Lab got in touch with the U.S. Department of Justice, who started a criminal investigation.
And so far, a guy named Aviram Azari has been indicted and arrested for engaging in a hack
for hire scheme. A lot of the stuff in the indictment sounds pretty familiar at this point.
Avram is an Israeli private investigator.
He's charged with conspiring with others to hack computers.
He allegedly exchanged emails with an unnamed co-conspirator
who said he had a team of sophisticated developers
that could break into email accounts.
Avram was invited to India to meet with the senior management of this organization,
which to me sounds like it could be Beltrach's or Dark Basin.
This June, Citizen Lab released their Dark Basin report,
and it was widely covered by the press.
Reuters was able to interview Sumit Gupta,
but he denied any wrongdoing.
He said all he did was help private investigators
download emails after
they gave him login information. He added that he was just providing tech support. Although he's
been a fugitive in the U.S. since 2017, it appears he's still at large in India. The Citizen Lab
report also prompted responses from some of the companies like Exxon and Wirecard. To be clear,
the report didn't accuse them of anything. In a New York Times article, like Exxon and Wirecard. To be clear, the report didn't accuse them of anything.
In a New York Times article, an Exxon spokesperson said the company didn't know of any involvement
with this specific hacking group identified in the Citizen Lab report.
Wirecard also told the Financial Times that they didn't have anything to do with this hacker group in India.
But coincidentally, Wirecard tanked not long after this Dark Basin report came out.
What's interesting is that not long after our report dropped, it became clear that there were
very serious problems with financial management at Wirecard. The timing was total coincidence, but in June 2020, things
did go sideways at Wirecard. Journalists and short sellers like Matthew Earle for years had
accused Wirecard of financial wrongdoing, but the company had strongly defended its position,
saying that its critics were colluding to bring them down. In the years after Matthew Earle's
report came out, Wirecard's stock had
actually gone up and Matthew had to unload his short position. But according to the Wall Street
Journal, this year, an audit came back saying Wirecard was missing over $2 billion in money.
The fallout was quick. On June 5th, Wirecard headquarters in Germany was raided by prosecutors and police.
CEO Marcus Braun was arrested and the COO Jan Marsalek had vanished.
By the end of June, Wirecard had filed for insolvency, unable to cover its debts.
John says the collapse of Wirecard and the Citizen Lab report are a welcome atonement for some.
So it was a very quick and sort of coincidental
turn of events that our reporting happened just before that. But it does have the feature of
vindicating the targets who sort of for years have been saying, look, there's something wrong
with this company. That was a big deal for Matthew Earl. He had been harassed with surveillance,
legal letters and phishing emails for years. It had been going on for so long,
it just became normal for him.
He was relieved when the Citizen Lab report came out
linking the phishing to bell trucks.
There was a vindication element to it as well.
And also, it made it easier to tell people about this whole affair.
Because if you were to tell someone that there's a German bank
that's had you under surveillance for several years
and they've got an operation
where they're trying to hack into your email
and discredit you,
then you'd sound a bit like a conspiracy nut,
despite the fact that it's all true. So if you've got a
reputable organization such as Citizen Lab that is able to highlight this and to add credibility to
that, then that's incredibly helpful in being able to tell people about it and describe your
experience and know that actually, yes, it is true and you haven't made it all up. in being able to tell people about it and describe your experience
and know that actually, yes, it is true
and you haven't made it all up.
A big thank you to Matthew Earle, Adam Holkoop,
and John Scott Roughton
for sharing this incredible story with us.
You can learn more about Citizen Lab at citizenlab.ca. As always, you can visit darknetdiaries.com to see additional
links and information, as well as original artwork I make for each episode. And speaking of artwork,
I've been busy making tons of designs into t-shirts. You got to check out the shop,
which has dozens of shirts right now, and I'm sure you'll find a design you will love.
Visit shop.darknetdiaries.com, and of course, I ship worldwide.
This show is made by me, the Karate Skid, Jack Recider.
Sound design and original music created this episode by Garrett Tiedemann, who probably dreams in music.
This episode was produced by the outdoorsman, Charles Bolte.
And editing help this episode by the dream weaver, Damien. Our theme music is by the advanced Persistent Beat, known as Breakmaster
Cylinder. And even though I'm in security, it doesn't mean I'm insecure. This is Darknet Diaries.