Content area
Full Text
Attack attribution is one of the most difficult aspects of malware research and it's not uncommon for different security companies to attribute attack campaigns to different threat actors only to later discover that they were the work of the same group. Against this backdrop, a new paper by researchers at Blackberry stands out by exposing an elusive group dubbed Bahamut as responsible for a spider web of carefully constructed and carried out phishing and malware attacks.
The group's hacking activities trace back to at least 2016 and involve malware for Windows, macOS, iOS and Android. They have impacted a diverse range of individuals, including government officials, separatists and human rights activists from several countries. Some of the group's campaigns were documented by many researchers or security companies over the years but they were unattributed or attributed to threat actors using different names.
"Over the years, researchers at several other organizations including Amnesty International, Kaspersky, Trend Micro, Cymmetria, DarkMatter, ESET, Norman, Antiy, Forcepoint, Symantec, Palo Alto, Fortinet, 4Hou, Bitdefender, Cisco Talos, Microsoft, Qianxin, and others gave us a different view of Bahamut, often under different names," the BlackBerry researchers said in their paper. "Many speculated openly about what it was they were analyzing and where the group’s distinctive features might lead them."
According to BlackBerry's assessment, Bahamut, which was named by researchers writing for open-source intelligence site Bellingcat in 2017, is the same group described in previous research by different companies as EHDEVEL, Windshift, URPAGE and The White Company, as well as the actor responsible for the campaigns described by Kaspersky Lab in 2016 in its research on the InPage zero-day vulnerability, Cisco Talos' research on malicious MDM and the attack against Pakistan research from Qianxin.
What is Bahamut and how does it operate?
Based on the group's varied and carefully segmented attack campaigns that target both high-value individuals and larger groups of people across different regions with different geopolitical interests, the BlackBerry researchers believe it's plausible that Bahamut is a mercenary group that sells its services to different clients. This theory was first proposed in 2017 by researchers writing for Bellingcat.
Hacker-for-hire groups that use APT-style techniques have become a common element of the threat landscape in recent years, challenging the threat models of many...