Google blocked dozens of domains used by hack-for-hire groups

Google's Threat Analysis Group (TAG) has blocked dozens of malicious domains and websites used by hack-for-hire groups in attacks targeting high-risk targets worldwide.

Unlike commercial surveillance vendors whose tools are deployed in attacks by clients, hack-for-hire operators are directly involved in attacks and are usually employed by a firm offering such services. In some cases, they can also be "freelance" threat actors. 

They're hired for their hacking skills by clients who lack them or who want to conceal their identity if the attacks are detected and investigated.

Hack-for-hire groups target individuals and organizations in data theft and corporate espionage campaigns, with past victims including politicians, journalists, human rights and political activists, and various other high-risk users from all over the world.

"The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets," Google TAG Director Shane Huntley said on Thursday.

"A recent campaign from an Indian hack-for-hire operator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans and a shopping company in Israel."

Hack-for-hire campaigns worldwide 

Currently, Google TAG is tracking multiple hack-for-hire firms from several countries and their campaigns, including India, Russia, and the United Arab Emirates. 

For instance, one group of hired spies from India linked to offensive security providers Appin and Belltrox and tracked throughout the last decade has orchestrated credential phishing campaigns against organizations in the government, healthcare, and telecom sectors of Saudi Arabia, the United Arab Emirates (UAE), and Bahrain.

Reuters also reported today that Indian cyber-mercenaries have also tried to hack "at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives," as well as into email inboxes belonging to the targets' lawyers, "some 1,000 attorneys at 108 different law firms."

Another hack-for-hire threat actor from Russia (known as Void Balaur) was linked to credential phishing attacks against journalists, politicians, and various NGOs and non-profit organizations across Europe (including Russia).

Void Balaur pricing list (Google TAG)

Last but not least, a UAE-based hack-for-hire group linked to H-Worm's developers and whose activity was also spotted by Amnesty International, has primarily focused its attacks on government, education, and political organizations in the Middle East and North Africa.

"As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm." Huntley added.

"We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement."

Huntley also shared the complete list of malicious domains blocked by Google while investigating the activity of hack-for-hire groups from India, Russia, and the UAE.

Google TAG's team of security experts is also tracking a long list of state-backed and financially motivated threat actors, including dozens of surveillance vendors who sell their spyware to governments around the world.

"TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors," Google TAG members Clement Lecigne and Christian Resell said recently.