An unprecedented peek inside an underground hacker-for-hire operation reveals 3,500 targets, including Belarusian presidential candidates, Uzbek human rights activists and a cryptocurrency exchange. Their primary targets? Gmail, Protonmail and Telegram accounts belonging to anyone on whom their paymasters want to spy.
A stakeout in digital investigations looks very different to the traditional images of sleuths camped out in blacked-out vans. Just ask Netherlands-based cybersecurity researcher Feike Hacquebord, who’d spent some months behind his computer screen tracking the activities of a hacker-for-hire crew called RocketHack when, in October 2020, he had a slice of luck. Data collected by his employer, Trend Micro, pointed to a web page used by RocketHack to monitor its victims. Requiring no password to enter, it effectively gave him a shop floor view of a bustling hacker-for-hire operation.
The breakthrough led to the discovery that, for the last four years, the Russian-speaking RocketHack crew has quietly infiltrated email and Telegram accounts, PCs and Android phones of as many as 3,500 individuals. The targets range from journalists, human right activists, and politicians through to telecommunication engineers and IVF doctors across a few dozen clinics, according to Hacquebord.
His findings provide startling proof that alongside established (though controversial) businesses like Israel’s NSO Group, who provide services for law enforcement to hack into devices, there’s an underground industry of players like RocketHack, who will break into people’s digital lives for the highest bidder, whether that’s a government, a corporate espionage client, a stalker or an abusive spouse.
RocketHack’s business model, according to Hacquebord’s report as shown to Forbes ahead of publication on Wednesday at the Black Hat Europe security conference, is simple: it “goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it.” Alongside access to people’s emails, the crew has also sold call record logs from cell towers, airline data and banking information, Hacquebord told Forbes.
RocketHack’s primary hacking method is via phishing with emails containing links to fake login pages for Google Gmail, encrypted email service Protonmail and Telegram, amongst others. A 2018 advert from the hackers suggested breaching the security-focused Protonmail was its most expensive service at 50,000 rubles ($700 at today’s exchange rate) while cracking a Gmail account would cost 40,000 rubles. But there’s evidence that with some Russian email providers they have some kind of deeper access, as they offer to get into accounts without need to trick the user with phishing emails.
Its client list remains unknown, but it appears to be diverse, and likely to contain nation state customers. On its target list were two presidential candidates in Belarus and one member of the opposition party, in a country where a repressive government has sought to crack down on dissent. It also targeted the private emails of the Minister of Defence in an Eastern European country and the former head of an unspecified intelligence agency. Government officials across Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France and Italy were all targeted this year. Previous advertisements on underground forums, as detailed by Singapore-based cybersecurity company Group-IB, indicated the crew offered to do checks of individuals’ credit histories and if they were wanted by international law enforcement agencies.
Hacquebord claimed a number of hacks on Uzbekistan human rights activists and journalists, previously detailed by Amnesty International and Canadian nonprofit Equalit.ie, were perpetrated by RocketHack. That included the editor-in-chief of an Uzbek media website. More than 25 journalists around the world have been targeted too.
That as many as 70 IVF doctors had been hacked was a surprise to Hacquebord. A Russian tax officer was also on the hacker’s hit list. It may be that RocketHack wasn’t targeting those individuals for any particular reason, but because they were privy to a large amount of personal data, which could then be sold at a future date, the researcher said. “It looks like they are looking for sources or for their information, maybe to sell even more.”
As for financial-focused attacks, it has set up various phishing sites for cryptocurrency exchanges and cryptocurrency wallets. One particular focus was London-based cryptocurrency exchange Exmo, according to the research. RocketHack went after not just customers, but Exmo executives too. One of the company’s managers was kidnapped in Kiev, Ukraine, in 2017 and later thrown from a vehicle on a motorway by his captors, according to reports. (Exmo hadn’t responded to a request for comment at the time of publication.)
Alongside phishing, the group operates malware for spying on Android and Windows devices, the researcher added. He discovered the Android spyware had modules for snooping on WhatsApp, recording calls and tracking location.
A dozen victims a day
The group isn’t slowing down. Every day, Hacquebord is seeing new RocketHack victims. “Every day there’s maybe a dozen new targets,” he says.
Though they speak in Russian, their origins are a mystery. Oleg Dyorov, head of the research unit at Singapore-based cybersecurity company Group-IB, said the hacking crew first appeared offering services on encrypted messaging software Jabber in 2017, often focusing on VK. As the social network is popular in post-Soviet countries, this could give “grounds to assume that the attacker might originate from the post-Soviet region and have their customers there as well,” Dyorov added.
RocketHack is just one of many underground operators providing such hacker-for-hire services. As a researcher at cyber intelligence company Intel 471 told Forbes, “The account takeover market is very lucrative and, as RocketHack shows, doesn’t take a lot of effort to cause a good amount of damage.”
“Cybercriminals work in a relatively competitive environment,” added Dyorov.
Hacquebord has only informed a handful of RocketHack victims they were hacked. But, having watched the group for over a year, he now plans to inform law enforcement about RocketHack’s activities. He’s not sure what impact it will have. “I think a lot of countries might view their cyber mercenaries in their own region as a national asset,” he added. “So it’s hard to tell them just to shut them down.”