How this Delhi IT firm continues to hack influential people globally
If you visit BellTrox website, it still reads that it is one of the leading providers of professional and managed services for advanced IT and ITes in India
India-based technology company BellTroX InfoTech Services that came in news last year for its role in a massive 'hack-for-hire' operation that targeted thousands of individuals and organisations in six continents -- including senior politicians, government prosecutors, CEOs, journalists and human rights defenders -- has continued its malicious activities under the nose of intelligence networks and government agencies.
According to Meta (formerly Facebook) which has now removed 400 accounts linked to the New Delhi-based IT firm, "BellTroX operated fake accounts to impersonate a politician and pose as journalists and environmental activists in an attempt to social-engineer its targets to solicit information, including their email addresses, likely for phishing attacks at a later stage."
The activity, based on the exact same playbook that BellTrox executed last year, "re-started in 2021 with a small number of accounts impersonating journalists and media personalities to send phishing links and solicit the targets' email addresses," Meta further informed.
The story shook the world last year as the company targeted thousands of powerful individuals and organisations on six continents.
However, the whole exercise yielded no definite results as there was no strong evidence "pointing to the party commissioning them".
The issue was quietly buried, leaving leading cyber security experts flummoxed as the expose was something that needed to be thoroughly probed to unearth the entire racket and catch the big fish.
Pavan Duggal, a seasoned Supreme Court lawyer and one of the country's top cyber law experts, said that even after one year of 'Dark Basin' hack-for-hire investigation, "India as a nation appears not to have learnt its lessons".
"The Golden Age of Cybercrime has arrived with Covid-19. Cybercrime has acquired cult status as more and more people are turning to cybercrimes, given the evaporation of jobs and disappearing economic opportunities," Duggal told IANS.
"The cottage industrialisation of cybercrime in India effectively means that cybercrime is now well entrenched in the Indian digital ecosystem. The hack-for-hire schemes continue unabated," he warned.
Duggal lamented that the Indian soft approach on cybercrime and lack of political will to come up with strong legal frameworks on cybercrime "will ensure that cybercrime will continue to keep on increasing with each passing day" and such hack-for-hire firms will only grow.
If you visit BellTrox website, it still reads that it is one of the leading providers of professional and managed services for advanced IT and ITes in India.
"BellTroX addresses the complete technology lifecycle -- enabling clients to plan, design, integrate, operate and optimise their investments. Founded in 2013 with an initial focus on Medical Transcription, BellTroX brings together broad-minded individuals from a wide range of disciplines and encourages them to look beyond the constraints of their own specialisms," the description reads.
However, the real story is entirely different, shrouded in clickbait emails, URL shortening services and phishing messages.
The multi-year investigation found that 'BellTroX', owned by Sumit Gupta who was indicted by the US Department of Justice in California in 2015 for his role in a similar hack-for-hire scheme, conducted commercial espionage on behalf of their clients against opponents involved in high-profile public events, criminal cases, financial transactions, news stories, and advocacy.
Gupta denied any wrongdoings, but Citizen Lab was able to identify several BellTroX employees whose activities overlapped with 'Dark Basin' because they used personal documents, including a CV, as bait content when testing their URL shorteners.
Some of the targeted organisations were Rockefeller Family Fund, Climate Investigations Center, Greenpeace, Center for International Environmental Law, Oil Change International, Public Citizen, Conservation Law Foundation, Union of Concerned Scientists and several others.
"They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure," the report had noted.
"BellTroX staff activities listed on LinkedIn included Email Penetration, Exploitation Corporate Espionage, Phone Pinger and Conducting Cyber Intelligence Operation," the Citizen Lab found.
This is how their global heist unfolded.
Dark Basin's targeting revealed a highly detailed and accurate understanding of their targets and their relationships.
Not only did phishing emails come from accounts masquerading as targets' colleagues and friends, but the individuals that Dark Basin chose to target showed that it had a deep knowledge of informal organisational hierarchies (masquerading as individuals with greater authority than the target).
"Some of this knowledge would likely have been hard to obtain from an open-source investigation alone. Combined with the bait content, the 'Dark Basin' operators were likely provided with detailed instructions not only about whom to target, but what kinds of messages specific targets might be responsive to," according to Citizen Lab research.
'Dark Basin' regularly adapted techniques, possibly in response to disruptions from email providers filtering their phishing attempts.
Many of Dark Basin's URL shortening services had names associated with Holi, Rongali, and Pochanchi. While Holi is a famous festival, Rongali is one of the three Assamese festivals of Bihu and Pochanchi is likely a transliteration of the Bengali word for "fifty-five".
BellTroX says it is "a global strategy and innovation consulting firm. We collaborate with senior leaders at the world's top companies to identify and pursue new growth opportunities, build innovation capabilities, and create disruptive new products, services, and businesses".
However, there's definitely more to this than meets the eye.
According to Duggal, if appropriate political will does not step in and if appropriate effective steps for providing deterrent punishment to cybercriminals are not brought about, "we will continue to keep on getting buried under the constantly increasing illegitimate cybercrimes and cyber-attacks.
"All eyes are on the government on how to come up with effective legal frameworks to deal with such growing menace of cybercrimes," he noted.
In 2015, the US Department of Justice (DOJ) indicted several US-based private investigators and an Indian national, Sumit Gupta (for whom the DOJ notes also use the alias Sumit Vishnoi), for their role in a hack-for-hire scheme.
"To our knowledge, Gupta was never arrested in relation to the indictment. An aggregator of Indian corporate registration data lists Sumit Gupta as the director of BellTroX, and online postings by a 'Sumit Vishnoi' contain references to BellTroX," according to the Citizen Lab report.