BAHAMUT APT
Bahamut, which in Arabic lore was a gargantuan sea monster that helped support the structure that holds the earth, was the name given by the researchers at BlackBerry to an extremely threatening hacker group. The researchers believe that due to the wide range of different targets, Bahamut is an Advanced Persistent Threat (APT) that operates as a mercenary hired by private individuals, corporations or even governments. Another characteristic supporting this theory is the incredible access to resources that the hackers must have to support their highly-targeted and precision-crafted attack campaigns. Bahamut's main focus is on phishing attacks, credential theft, and the very unusual for an APT group activity of spreading disinformation.
Table of Contents
Bahamut Carries Out Fine-Tuned Phishing Attacks
For its phishing attacks, Bahamut displays incredible attention to detail. The hackers target specific individuals and that they observe for an extended period that, in some cases, can last for over a year. The hackers have also shown that they are capable of attacking all device types. Bahamut has carried out campaigns employing custom-crafted Windows malware, as well as exploited various zero-day vulnerabilities, while their recent activities have involved attacks against mobile phones and devices. The hackers demonstrate deep knowledge of both iOS and Android. They have managed to place nine threatening applications on the AppStore directly, while a whole range of Android applications can be attributed to them through unique fingerprints discovered by the infosec researchers. To bypass some of the safeguards placed by Apple and Google, Bahamut craft official-looking websites that include Privacy Policies and even written Terms of Service for each of the applications. All of the applications distributed by Bahamut had backdoor functionality, but their specific capabilities differed from application to application. As a whole, the set of threatening applications could take complete control over the compromised device. The attackers could enumerate the filetypes stored on the device and exfiltrate any that caught their eye. In addition, Bahamut can:
- Access device information,
- Access call records,
- Access contacts,
- Access call records and SMS messages
- Record phone calls,
- Record video and audio,
- Track GPS location.
Bahamut is Responsible for Disinformation Campaigns
The other aspect of Baahamut's threatening operations shows the same level of commitment and attention to detail. The APT group crafts complete websites dedicated to spreading fake information. To make them more legitimate, the hackers also craft fake social media personalities. The group even bought the domain of a once legitimate tech news site called Techsprouts and revived it to serve a whole range of topics from geopolitics and industry news to articles about other hacker groups or exploit brokers. The contributors for Techsporut all have crafted identities with the hackers taking pictures of real journalists. A common topic among several of Bahamut's fake websites is the 2020 Sikh Referendum, which has been a hot-button topic in India since 2019.
As for regional preferences, Bahamut has been more active in the Middle East and South Asia regions. In fact, the hackers region-locked some the download of some of their threatening application to only be available for users in the United Arab Emirates while other applications were disguised as Ramadan-themed applications or linked to a Sikh separatist movement.
Bahamut is Well-Funded
Bahamut was able to remain undetected for a considerable amount of time, and while some of its activities were picked up upon by infosec researchers, they were attributed to different hack groups such as EHDevel, Windshift, Urpage and the White Company. The reason that has enabled Bahamut to achieve such operational security is the considerable amount of work is put into each attack campaign and the speed with which it changes the involved infrastructure and malware tools. There is also no carry-over between different operations. According to BlackBerry researchers, no IP addresses or domains from Windows attacks have been used for phishing or mobile campaigns and vice verse. Bahamut also has ensured that its activity isn't concentrated on a single hosting provider and employs over 50 different providers currently. As the cybersecurity researchers point out, achieving this requires considerable effort, time and access to resources.