Hacker Group "RocketHack" | Where Spies Shop

A suspected Russian hacker group sells emails and location data to anyone who pays. Current research shows how professional they are.

The group writes "professional hacking" on its website. The offer includes, for example, "access to e-mail services and social media profiles" and the slogan: "RocketHack - your key to all information." 

Obviously, this is not an exaggeration. The Russian-speaking group RocketHack has been spying on private individuals, journalists, politicians, activists and even secret services since at least 2017 - on request. This was revealed by the Dutch security researcher Feike Hacquebord from the IT security company Trend Micro in a lecture at the Blackhat conference on Wednesday. According to his research, the group collects personal information such as movement data, SMS and e-mails and other things and sells this data to its customers. Over the years, Hacquebord and his colleagues have identified more than 3,000 victims worldwide. 

The research throws a spotlight on the large and professional market that has developed around criminal services and stolen data on the Internet. A modern webshop can be seen on the screenshots shown by Hacquebord. A hacked Googlemail account costs $ 550 and a hacked ProtonMail account costs $ 688. The contents of a mailbox at the Russian provider Yandex can be had for as little as 165 dollars. Recording phone calls, including the location of the cell tower, costs $ 826.  

Customers who buy these services are also likely to include governments. In the lecture it becomes clear that there is overlap between the newly discovered group and the state-owned Russian hacker group Pawn Storm, which is also known under the name Fancy Bear. Between 2014 and 2016, the groups spied on some of the same victims, including religious leaders, diplomats and journalists. Hacquebord does not go so far as to describe the group RocketHack as a state actor, but one thing is clear: The group meets the needs of dictatorial regimes.

Publications relating to the Israeli spyware software Pegasus have shown that governments are definitely interested in such data - and also that governments often not only use these tools for good, but also pursue opposition members, including suspected executions. According to the researchers' research, the situation is similar with the services of the RocketHack group, which are also of interest to governments. They are "used to attack their customers' opponents," Hacquebord notes.

On offer: bank details, ID cards, Interpol entries

In addition to governments, these customers also include companies that operate industrial espionage or stalkers: "They sell this data to anyone who is willing to pay for it," says the security researcher. The group itself calls itself RocketHack, and Hacquebord named it Void Balaur - after Balaur, a monster with several heads that occurs in Eastern European folklore.

The group's portfolio is broad. RocketHack not only offers access to e-mail accounts and profiles in social media, but also passenger data, SIM card data, information about where a particular mobile phone is connected to which radio mast and when, data from border crossings, bank data, ID data, Interpol entries, control data as well as images and videos from traffic cameras. And it seems to be going well: the customers are very satisfied, reports Hacquebord. They always attest to the group's good performance in Russian forums of criminal hackers such as Darkmoney and Probiv.

In order to understand how the group worked, Hacquebord and his colleagues identified thousands of hacker attacks by the group and, in some cases, analyzed the exact process. Most start with phishing campaigns, such as fake emails that are intended to induce the victim or people around them to reveal personal data or a password. Apparently, however, the group also manages to break into e-mail accounts without outsmarting the owners of the accounts. According to Hacquebord, this could indicate a collaboration with the relevant e-mail providers. "You shouldn't use this then," he says. He does not name the corresponding services, but a look at the price list of the criminals shows that, among other things, the social network VK can also be used "without changing your password" can be made accessible. There are also different prices for the e-mail services from Rambler.ru and Yandex, depending on whether they are with or "without hack" ("no hack ").

The victims spied on by Hacquebord include human rights activists, managers of large companies, fintech companies, crypto exchanges and a conspicuous number of fertility clinics. Why, of all things, fertility clinics are a target of the attacks, Hacquebord puzzles. Either because they have a particularly large amount of personal data, or because their data would be hoarded for future sales.

In particular, it also hits politicians and government officials again and again. The security researchers found attacks on politicians and political activists in Uzbekistan, dealing with  reports from Amnesty Internationalcover. They also observed digital attacks on two presidential candidates in Belarus and a member of the opposition party, as well as on government officials in Ukraine, Russia, Kazakhstan and Armenia, among others. EU politicians are also among the targets. In August 2021, for example, Hacquebord observed espionage activities involving a French parliamentarian, EU MPs from France and Italy, and politicians and activists from Norway and France. And even a former head of the secret service is among the victims (the security researcher does not want to be more specific here). 

Theoretically, the data from cyber spies could also be used "for non-malicious purposes," emphasize the security researchers, "for example to support governments in the fight against terrorism and organized crime." There is actually an indication of a "non-malicious" use case of the criminal data - which is nonetheless controversial. It is about journalistic research into the attempted murder of the Russian opposition politician Alexej Navalny. A joint unveiling of the Dutch research organization Bellingcat, CNN and Spiegelhad suggested in December 2020 that the Russian secret service could have been involved in the attacks. The research was based, among other things, on passenger and radio cell data from Russian secret service employees, i.e. exactly the data that RocketHack also offers.

After the release, RocketHack became noticeably nervous, reports Hacquebord. In fact, the case was heatedly discussed in the Probiv forum in December. The black market is in turmoil, writes a user. Officials of the Russian secret service are in the process of deleting information, the journalists have mixed up the market. "Do you think they (Russian investigative authorities, editor's note ) will now search the entire chain?", Asks RocketHack worriedly in the chat.

Concerns about the business model

Does that mean the journalists bought their research data from RocketHack? "There is no evidence of this," says Hacquebord. Only the statement by the Bellingcat editorial team that they bought the data in response to an advertisement in the Russian criminal forum Probiv could point to the connection - "we know that Void Balaur also advertised there," says Hacquebord. Eliot Higgins speaks ever again open about buying information from hackers. One is well aware of the ethical concerns. However, Bellingcat does not name its exact sources.

In any case, RocketHack was apparently worried about its business model when it suddenly became public, the researchers said. However, it is not news that it is comparatively easy to get all kinds of personal data in Russia. For example, a former Russian hacker showed the author of this text during a research in Moscow how he could get the person's name from a photo on the Internet using various Telegram services, among other things. He also received your vehicle registration number, telephone number, address, health insurance and various photos of your vehicle from traffic surveillance cameras. 

In this respect, RocketHack's service is nothing new in terms of content, but it has a new quality. In addition to a state market - which, among other things, the NSO Group satisfies with Pegasus - an underground market has also developed for personal data. RocketHack is one of the most professional players in this market known to date. Apparently every request of a spy is reliably and quickly fulfilled there. 

Post a Comment