Bahamut mercenaries described. US seizes Iranian disinfo domain names. Phishbait from news. Russia says it doesn’t meddle.
BlackBerry yesterday published its research into the activities of Bahamut, a cybermercenary group, unusually sophisticated and patient. Its customers (or “true sponsors” as BlackBerry calls them) remain unknown. Bahamut engages in cyberespionage and disinformation, and its operations are marked by extensive reconnaissance, concentration on particular targets, and attention to detail. It prefers phishing to malware, but it shows unusual savvy with respect to zero-days when it decides to deploy those. The group is most active in the Middle East and South Asia.
BlackBerry sees Bahamut as a leading example of the outsourcing of cyberespionage and disinformation, attractive not only for its capabilities, but also for the deniability it brings. Bellingcat began to take notice of Bahamut in 2017, so the group is not a new one. CyberScoop, in its account of BlackBerry’s research, offers a review of other mercenary actors.
The US Justice Department last night announced the seizure of ninety-two domain names that Iran’s Islamic Revolutionary Guard Corps had been using in global disinformation campaigns. The domains were used to create fake personae misrepresenting themselves as independent news services. Justice credits Google with alerting them to the campaign, citing it as a good instance of public-private cooperation.
Proofpoint finds that, unsurprisingly, references to President Trump's COVID-19 diagnosis are appearing as phishbait in a BazaLoader spam campaign.
TASS is authorized to disclose that accusations of Russia's interference in foreign elections are groundless, baseless, without foundation. That's not necessarily the same thing as "false," so call it a see-em-and-call non-denial denial.
Gloss