A commissioned hacker group called Void Balaur has been stealing highly sensitive emails and information for more than five years, selling them to clients with both financial and espionage goals.
With over 3,500 targets spread across nearly every continent, this prolific threat actor is advertising his reports on Russian underground forums.
Trend Micro security researchers profiling Void Balaur’s business say this actor’s business model is to steal “the most private and personal data of companies and individuals” and sell it to interested customers.
Recipients include individuals and organizations in various sectors (telecommunications, retail, financial, medical, biotechnology), especially if they have access to private data.
Wide range of services and objectives
Void Balaur’s hacking activity is believed to date back to 2015, although the earliest references to this actor date back to September 2017, in the form of spam complaints from the group advertising its services.
Void Balaur’s paid ads began appearing in 2018 on the Russian-language forums Darkmoney (carding), Probiv, Tenec (stolen credentials), and Dublikat.
Services included access to free webmail (Gmail, Protonmail, Mail.ru, Yandex, VK), social media (Telegram) and corporate email accounts. The hackers allegedly offered customers copies of the hacked mailboxes.
In 2019, the group’s services diversified as they began selling sensitive private data of Russian individuals at starting prices between $ 21 and $ 124. The information included:
- passport and flight information
- snapshots of traffic cameras
- traffic police data (fines, car license plate)
- weapon registration
- criminal record
- credit history
- bank account balance and account statements
- tax service records
The new services also provided cellular service data, such as phone numbers, call and SMS records (with or without repeater location), call mapping, phone or SIM card location, text message printouts.
It is unclear how the Void Balaur obtained this information. Bringing insiders into telecom companies is one explanation.
Another, for which Trend Micro has supporting evidence, is the hacking of key engineers and individuals in executive positions at various telecommunications companies in Russia.
Void Balaur’s goals are more diverse than that, and the attacks against them date back to when Trend Micro found more than 3,500 email addresses for individuals and businesses in attacks attributed to this threat actor.
Based on reports from Canadian nonprofit eQualitie and Amnesty International, researchers could link Void Balaur’s activities to attacks that began in 2016 against human rights activists and journalists in Uzbekistan.
The group’s most recent activity in September 2020 targeted political figures in Belarus, presidential candidates and a member of the opposition party.
In September 2021, hackers focused on the “private email addresses of a former head of an intelligence agency, five active government ministers (including the defense minister) and two members of a country’s national parliament.” Eastern Europe “.
Political figures and diplomats from other countries (Armenia, Ukraine, Kazakhstan, Russia, France, Italy, Norway, Slovakia), media organizations, dozens of journalists are also among the targets of Void Balaur’s phishing activity.
In another campaign that lasted between September 2020 and August 2021, Void Balaur targeted board members, directors and executives (and their family members) of companies of a large Russian corporation.
The beneficiaries of these attacks remain unknown, but long-term spying campaigns typically serve state, corporate or political interests.
Another set of targets includes organizations handling large amounts of individual sensitive data, which could be used to facilitate financially motivated attacks:
- Major mobile and telecommunication companies
- Cellular Equipment Suppliers
- Radio and satellite communication company
- ATM sellers
- Point of Sale (POS) System Providers
- Fintech companies and banks
- Business aviation companies
- Medical insurance organizations in at least three regions of Russia
- In vitro fertilization (IVF) clinics in Russia
- Biotechnology companies offering genetic testing services
In addition to these, Void Balaur has been constantly seeking access to cryptocurrency wallets of various exchange services (Binance, EXMO, BitPay, YoBit), using phishing sites to lure victims.
In the case of EXMO phishing users, although the threat perpetrator had multiple domains, one of them was in use for nearly three years.
Overlay the Fancy Bear activity
Void Balaur surfaced on Trend Micro’s radar after a source provided multiple phishing emails that researchers initially believed were the work of Pawn Storm, a Russian threat actor also known as Fancy Bear, Sednit, Pawn Storm. and Strontium.
Although they ended up attributing the emails to Void Balaur, the researchers also found an overlap between the two groups, despite the commissioned hackers displaying more different clients and targets.
“In total, we observed a dozen email addresses targeted by both Pawn Storm during the period from 2014 to 2015, and by Void Balaur from 2020 to 2021,” the researchers write in a report. relationship today.
“In addition to religious leaders, we have also seen attacks on diplomats, politicians and a reporter from both Pawn Storm and Void Balaur,” Trend Micro added.
From the evidence gathered by Trend Micro, it is clear that Void Balaur is focused on selling private data to anyone willing to pay the right money. It is a cyber-mercenary group that doesn’t care what its customers do with the data they buy.