Who Did It - How We Attributed Campaigns of a Cyber Mercenary

The talk discusses the attribution of campaigns to a cyber mercenary named Void Balaur and how to protect against APT attackers and cyber mercenaries.

• Void Balaur is a cyber mercenary that advertises its services in underground forums and hacks into email boxes, social media accounts, and sells private data for money.
• The talk details how the speaker and their team attributed campaigns to Void Balaur spanning from 2016-2021, which had a significant impact on targets' lives in Uzbekistan and Belarus.
• Using billions of passive DNS records and Trend Micro's telemetry, the speaker found more than 1000 targets, including oligarchs, CEOs, politicians, and human rights activists, some of which had to flee their home country.
• The speaker also discusses how journalists, human rights activists, and other targets can protect themselves better against APT attackers and cyber mercenaries by using second factor authentication, using an app or a ubikey for authentication, using PGP, permanently deleting messages, turning off devices when not in use, and using email service providers that offer better security.
• The speaker urges people to go to their national lawmakers and view national cyber mercenaries not as a national asset but as a threat to their own citizens.
• An anecdote is given about a journalist who received phishing emails, and it was discovered that the journalist's spouse was the actual target, but the journalist was a frequent target of Pawn Storm or Fancy Bear.

An anecdote is given about a journalist who received phishing emails, and it was discovered that the journalist's spouse was the actual target, but the journalist was a frequent target of Pawn Storm or Fancy Bear.

In this talk, we put a cyber mercenary into the spotlight. This cyber mercenary does not have a shiny brochure or office, but it advertises services in underground forums like Probiv. We will detail campaigns of this actor we track as "Void Balaur" spanning 2016-2021. Some of these campaigns had a significant impact on targets' lives, for example in Uzbekistan and Belarus. Void Balaur came to our attention in Spring 2020. We were contacted by a frequent target of Pawn Storm (APT28). His spouse received a dozen phishing emails and he wanted to know who the sender was. We soon related these phishing emails to Void Balaur, but we needed 6 more months of research to reach high confidence attribution. Using billions of passive DNS records and Trend Micro's telemetry we found more targets, and related campaigns between 2016 and 2019. Some of these campaigns were reported on earlier by Amnesty International (2020) and eQualit.ie (2019), but without attribution. In fall 2020 we found out that somebody was hiding behind the eleos.tk VPN network and using a customer system to access control panels of Void Balaur. These control panels appeared not to be protected by any authentication. From that moment on we could attribute old and new campaigns of Void Balaur with high confidence. We uncovered more than 1000 targets. These included oligarchs, CEOs, politicians and human rights activists, some of which had to flee their home country. We found a small, but clear overlap with the targeting of Pawn Storm. This shows that political and corporate espionage motivated attackers found their way to this cyber mercenary. International regulations are not there to protect targets of cyber mercenaries. Therefore, we discuss how journalists, human rights activists and other targets can protect themselves better against APT attackers and cyber mercenaries.