Threat Intelligence

BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group

January 21, 2021 by Patrick Mallory

Introduction

In October 2020, the BlackBerry Research Operations team released a comprehensive report highlighting the reach, tradecraft and sophisticated tactics of one of the world’s most infamous cyber threat groups: BAHAMUT. 

The report, “BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps”, was years in the making and culminates hundreds of hours of work and analysis, led by Eric Milam, Vice President of Research Operations. 

The report documented many significant details, including how the group designed their own exploits, strung together phishing campaigns, chose and targeted their victims and executed attacks in such a way that reflected the group’s organization, patience, resources and skill. The piece is just one of the many reflections of how BlackBerry is constantly tracking large cyber threat actors and malware in the on-going race to stay abreast of global cybersecurity trends.

To expand on the shocking findings found within the report, share key lessons with fellow security professionals and pass on career development tips for those wishing to enter the threat intelligence world themselves, Milam joined Infosec founder and CEO Jack Koziol for November 2nd’s episode of Infosec’s Cyber Work Podcast. 

The BAHAMUT report

If there is one common theme to Milam’s talk with Koziol, it was the power of tenacity and, as Milam puts it: “pulling on strings.”

 “We actually started on BAHAMUT around 2018 … and we called the threat actor ‘The White Company,’” reflected Milam. “But what we came to find out, obviously, is as you continue to research, pull on strings, follow breadcrumbs, we started to understand that The White Company was actually BAHAMUT.” 

And it turned out that several other threat actors also referenced in the team’s first report, Operation Shaheen, were actually BAHAMUT, too. “The fact that [BAHAMUT] have such disparate attacks against disparate targets that wouldn’t normally be connected together seemed extremely interesting.”

In fact, even after publishing their report, BlackBerry and Milam’s team still does not believe that they have a full sense of the size and scope of BAHAMUT. Interestingly, the researchers think of BAHAMUT like a corporation: hired by others, attending business meetings, conducting thorough design and testing sessions and managing a wide range of customers. 

Key tradecraft findings

What stood out to Koziol and Milam was the sophisticated tradecraft showcased by BAHAMUT, including extensive, custom and flexible back-end infrastructure, counter-intelligence teams and in-house designers and application developers.

“They are highly, highly trained, they know what they’re going after, and they are patient in getting them. They do not smash and grab … they are highly targeted,” continued Milam. However, it was the commonality between their tactics, techniques and procedures (TTPs) and their back-end command-and-control at the end of those long strings that BlackBerry was pulling.

Ultimately, BlackBerry was able to find that BAHAMUT “built their own fake news empire”, complete with nine malicious iOS applications in the Apple App Store and a range of Android applications that took advantage of user privacy policies and successfully bypassed built-in device security. “Operational security is something that they take very, very seriously,” Milam notes. “The scope and sophistication of the BAHAMUT group’s attacks is pretty staggering.”

According to Milam, BAHAMUT’s tradecraft “used malware as a last resort. It was really about account takeovers and pivoting … it was about espionage and psychological operations.”

The BlackBerry approach

Stepping back from the report itself, Milam also shared with Koziol how the team was structured. It includes 10 members that make up their “Spear Team” of threat hunters, threat intelligence analysts, a project manager, data analysis professionals, geo-political experts and a technical writer. 

Combined, these team members mostly used information hiding in plain sight, pulling on strings that they found until BAHAMUT’s fingerprints could easily be seen. Over time, researchers compiled databases, facts and reports from peer hunt teams to build on their own work. In turn, BlackBerry has left plenty of breadcrumbs in their own report that others could use to find out more about BAHAMUT’s size, revenue and presence in Southeast Asia.

Long-term implications of the BAHAMUT Report

Koziol and Milam then looked toward the future and what BAHAMUT meant for the evolution of advanced persistent threats to global business. 

In terms of demonstrating a new modus operandi, Milam believes that BAHAMUT laid out a path or blueprint that all but a few other cyber actors could only wish to achieve, especially given their use of advanced tradecraft. Unfortunately, Milam believes that their report still will not do much to disrupt BAHAMUT’s activities. Although BlackBerry works with a lot of other organizations and government law enforcement, BAHAMUT still has a lot of “customers” they are looking to service.

Therefore, Milam advises, companies need to realize that cyberattacks of a large scale are very real. Cyber actors only need to find one way in — and it can be an unsuspecting internal user. “When Anderson Cooper’s talking about [cyber threat] and my grandmother understands it, then I know that we will be there [as an industry].” 

Milam also noted that more companies should utilize technology to help protect their organizations and people, especially because there are multiple places in the attack sequence that could be disrupted. While frameworks can help, ultimately cybersecurity professionals need to understand their role and have the tools needed to protect the employees.

Tips for aspiring threat researchers

Koziol rounded out the discussion with Milam by touching on a few points for aspiring threat intelligence professionals. 

For Milam, he came up through the cybersecurity trade despite having a degree in social science. Others on his team spent 10 to 15 years learning their specialty as threat analysts, penetration testers or technical writers before coming together to form a well-rounded team.

“However, some people have the intangibles you cannot coach: drive, determination and motivation,” notes Milam, “the people who work on this team, you don’t need to tell them anything. They are excited to do this every day.” Milam has interviewed strong candidates before, but if they lack that spark, he doesn’t consider them qualified for his team.

In general, Milam advises others to obtain a strong networking background, coding in Python and Bash, and balance that with data science and core researching skills. 

Bringing it all together

Sadly, with the continued rise in cyberattacks and the increasing profitability, there will be plenty of work ahead for Milam and his BlackBerry team. 

“It’s incredible what we’re able to uncover. The good thing is that we’re giving back to the community as all researchers should do. Hopefully, this opens up more opportunities to potentially take them down, if possible. That’s our job. That’s what we do. We love doing it and we’re going to continue to do that no matter what.”

For more information about BAHAMUT and Blackberry’s report, please watch the corresponding episode of the Cyber Work podcast.

Posted: January 21, 2021
Articles Author
Patrick Mallory
View Profile

Patrick’s background includes Strategy and Cyber Risk Services consulting experience with Deloitte Consulting with both States and large Federal transportation and security agencies. He also served 3 years as a Deputy CIO for the City of Raleigh, where he assisted with the implementation of security policies, tools, and employee education initiatives as well as PCI, CJIS, and HIPAA compliance. He currently supports the IT infrastructure for the U.S. State Department.

Patrick also holds CISSP, CISM, and Security+ certifications as well as a PMP. He holds an MS in Information Technology – Cybersecurity and MS Public Policy from Carnegie Mellon University, where he assisted with graduate level teaching in the information security program.


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117