Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Void Balaur Hackers-for-hire Sell Stolen Mailboxes and Private Data

Void Balaur Hackers-for-hire Sell Stolen Mailboxes and Private Data

A hacker-for-hire group called Void Balaur has been stealing emails and highly-sensitive information for more than five years, selling it to customers with both financial and espionage goals.

With more than 3,500 targets spread across almost all continents, this prolific threat actor is advertising its services on Russian underground forums.

Security researchers at Trend Micro profiling Void Balaur’s activity say that the business model of this actor is to steal “the most private and personal data of businesses and individuals” and sell it to interested customers.

Targets include individuals as well as organizations in various sectors (telecommunications, retail, financial, medical, biotechnology), especially if they have access to troves of private data.

Also Read: Data Protection Policy: 8 GDPR Compliance Tips

“Void Balaur is not only into hacking email mailboxes but is also in the business of selling the sensitive private information of its targets. This includes cell tower log data, passport details, SMS messages, and more. In addition, Void Balaur appears to target many organizations and individuals that are likely to have access to highly sensitive data on people” – Trend Micro

Wide range of services and targets

The hacking activity of Void Balaur is believed to go as far back as 2015, although the earliest references about this actor date from September 2017, in the form of complaints about the group spam advertising its services.

Paid ads from Void Balaur started to appear in 2018 on Russian-speaking forums Darkmoney (carding), Probiv, Tenec (stolen credentials), and Dublikat.

The services included access to free webmail (Gmail, Protonmail, Mail.ru, Yandex, VK), social media (Telegram), and corporate email accounts. The hackers would offer customers copies of the breached mailboxes.

Prices for services from Void Balaur threat actor
(conversion to U.S. currency based on exchange rate on September 14, 2021)

In 2019, the group’s services diversified as they began to sell sensitive private data of Russian individuals for starting prices between $21 and $124. The info included:

  • passport and flight information
  • traffic camera snapshots
  • traffic police data (fines, car registration)
  • weapon registration
  • criminal records
  • credit history
  • bank account balance and statements
  • tax service records

The new services also provided data from cellular services, such as phone numbers, phone call and SMS records (with or without cell tower location), mapping the calls, phone or SIM card location, printouts of text messages.

It is unclear how Void Balaur obtained this information. Bribing insiders at telecom companies is one explanation.

Another one, for which Trend Micro has supporting evidence, is hacking key engineers and individuals in management positions at various telcos in Russia.

Also Read: Don’t Be Baited! 5 Signs of Phishing in Email

Void Balaur threat actor's targets in telcos

Void Balaur’s targets are more diverse than this and attacks on them date far back as Trend Micro found more than 3,500 email addresses for individuals and companies in attacks attributed to this threat actor.

Based on reports from Canadian non-profit eQualitie and Amnesty International, the researchers could connect Void Balaur activity to attacks that started in 2016 against human rights activists and journalists in Uzbekistan.

More recent activity from the group in September 2020 targeted political personalities in Belarus, presidential candidates, and a member of the opposition party.

In September 2021, the hackers focused on “the private email addresses of a former head of an intelligence agency, five active government ministers (including the minister of defense) and two members of the national parliament of an Eastern European country.”

Political figures and diplomats in other countries (Armenia, Ukraine, Kazakhstan, Russia, France, Italy, Norway, Slovakia), media organizations, dozens of journalists are also among the targets of Void Balaur’s phishing activity.

In another campaign that lasted between September 2020 and August 2021, Void Balaur targeted board members, directors, and executives (and their family members) of companies of a large Russian corporation. 

Void Balaur campaign against companies of Russian conglomerate

The beneficiaries of these attacks remain unknown, but long-term espionage campaigns typically serve nation-state, corporate, or political interests.

Another set of targets includes organizations that handle large amounts of individual sensitive data, which could be used to facilitate financially-motivated attacks:

  • Mobile and core telco companies
  • Cellular equipment vendors
  • Radio and satellite communication companies
  • ATM vendors
  • Point-of-sale (POS) system vendors
  • Fintech companies and banks
  • Business aviation companies
  • Medical insurance organizations in at least three regions of Russia
  • In Vitro Fertilization (IVF) clinics in Russia
  • Biotechnology companies that offer genetic testing services

Apart from these, Void Balaur has been constantly seeking access to cryptocurrency wallets of various exchange services (Binance, EXMO, BitPay, YoBit), using phishing sites to lure victims.

In the case of phishing EXMO users, although the threat actor had multiple domains, one of them was used for almost three years.

Overlap with Fancy Bear activity

Void Balaur emerged on Trend Micro’s radar after a source provided multiple phishing emails that the researchers initially believed to be the work of Pawn Storm, a Russian threat actor also known by the names Fancy Bear, Sednit, Pawn Storm, and Strontium.

Although they ended up attributing the emails to Void Balaur, the researchers also found an overlap between the two groups, despite the hackers-for-hire showing more diverse customers and targets.

“In total, we have observed a dozen email addresses that were targeted by both Pawn Storm during the period of 2014 to 2015, and by Void Balaur from 2020 to 2021,” the researchers write in a report today.

“Besides the religious leaders, we also saw attacks on diplomats, politicians and a journalist from both Pawn Storm and Void Balaur,” Trend Micro added.

Target overllap between Void Balaur and APT28, a.k.a. Fancy Bear

From the evidence that Trend Micro collected, it is clear that Void Balaur focuses on selling private data to anyone willing to pay the right money. It is a cyber-mercenary group that does not care what its customers do with the data they buy.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us