Trend Micro has revealed details of a new Russian-speaking cyber-mercenary group responsible for at least 3500 victims over the past six years.
Dubbed “Void Balaur” after an evil creature from Eastern European folklore, the group goes by the name “Rockethack” on underground Russian language forums, where it has been advertising since 2018 to 100% positive reviews.
According to Trend Micro’s report on the outfit, it focuses on compromising email and social media accounts and selling sensitive personal and financial information, including telco data, passenger flight records, banking data and passport details.
Its global targets range from Russian telcos to ATM vendors, financial services firms, medical insurers and IVF clinics. These are selected as they store lucrative personal and corporate information that can be sold at a relatively high price. The group charges over $800 for phone call records with cell tower locations, for example.
However, Void Balaur also targets journalists, human rights activists, politicians, scientists, doctors, telco engineers and cryptocurrency users.
Some of these overlap with individuals targeted by the notorious Kremlin-backed Pawn Storm group (APT28, Fancy Bear), although it’s not thought the two groups are otherwise connected.
According to Trend Micro, phishing and info-stealing malware and its main tools to compromise its victims. That makes multi-factor authentication (MFA), end-to-end encrypted apps, “robust” email and corporate detection and response tools a must, the vendor claimed.
The proliferation of groups like Void Balaur is a consequence of a highly professionalized cybercrime economy, argued Trend Micro senior threat researcher Feike Hacquebord.
“Given the insatiable demand for their services and harboring of some actors by nation-states, they’re unlikely to go away anytime soon,” he added. “The best form of defense is to raise industry awareness of the threat in reports like this one and encourage best practice cybersecurity to help thwart their efforts.”