A hack-for-hire cyberespionage group named Bahamut is involved in advanced attacks targeting government officials and organizations with sophisticated credential harvesting attacks and phishing campaigns, new Windows malware samples, zero-day exploits, and other techniques. The group is politically motivated and has a wide range of targets. The group has historically targeted people and entities in South Asia, particularly India and Pakistan, as well as the Middle East, primarily the UAE and Qatar.
Despite its range of targets and attacks, a lack of discernible pattern or unifying motive leads researchers to believe Bahamut is likely acting as hack-for-hire operators. They believe the group has access to one zero-day developer and has leveraged zero-day exploits against multiple targets. Bahamut executed highly disparate targeting across a number of verticals and geographic regions.
While Bahamut’s activity in the Middle East has targeted private businesses and individuals, most of its attacks are aimed at government. In Saudi Arabia it went after seven different ministries and other agencies, with a focus on monetary and financial policy. It also targeted the Emirates, Qatar, Bahrain, and Kuwait, with an emphasis on foreign policy and defense. The firm researching the Bahamut group, called BlackBerry, provided a general list that includes Middle East human rights activists, the Saudi Minister of Energy, Union of Arab Banks, journalists and foreign press in Egypt, Saudi Aramco, and Turkish government officials. While attribution is difficult, BlackBerry believes Bahamut is located close to the regions it’s operating against and targeting people, businesses, government agencies, human rights groups, and political groups in South Asia and the Gulf, as well as in Europe, Africa, and China.
In the Middle East, BlackBerry observed phishing of government agencies, private businesses, and individuals. The majority of the targeting, however, was aimed at government. In Saudi Arabia, that included the targeting of seven different ministries and other agencies, with an added emphasis on monetary and financial policy. BlackBerry observed targeting of other government ministries in the Emirates, Qatar, Bahrain, and Kuwait, this time with an emphasis on foreign policy and defense. BAHAMUT’s targeting in the Middle East also takes a wider, more dragnet approach in the form of mobile phone applications. A more thorough discussion of the fake applications, many of which were available for download in the Emirates. BAHAMUT’s South Asian phishing targets are focused on individuals of greater importance in private industry, in contrast to the heavy government themed phishing in the Gulf.