Hacker-for-hire group targeting South Asian organizations, research says

There’s a new cyber mercenary group on the block.
dark web, hacker, transaction
(Getty Images)

There’s a new cyber mercenary group on the block, and they’re going after targets in more than a dozen countries around the globe, according to BlackBerry research published Thursday.

The hack-for-hire shop, which BlackBerry is calling “CostaRicto,” has largely gone after targets in South Asia, especially in India, Bangladesh and Singapore, according to BlackBerry. Some of its targeting has also been located in Africa, the Americas, Australia and Europe, including in Austria, the Bahamas, France, Mozambique, the Netherlands and Portugal, the researchers write in a blog on the group.

It isn’t exactly clear who the hackers-for-hire are, but given that their targets tend to be focused in South Asia, BlackBerry researchers suggest they may be based in that region. The disparate targeting and characteristics of their toolset suggest they are working on behalf of clients, BlackBerry reachers write.

CostaRicto targets victims with a custom backdoor that appeared last October, but has rarely been seen in use in the wild. That could indicate it is held privately and used exclusively by this group, the researcher write.


The way their custom backdoor, dubbed SombRAT, is configured hints that it is intended to be updated and used over time, suggesting it can be adapted to different targeting needs.

“The constant development, detailed versioning system and well-structured code that allows for easy functionality expansion — all suggest that the toolset is part of a long-term project, rather than a one-off campaign,” the researchers write in the blog, adding that the diverse set of targets suggests assignments from clients rather than a singular, directed espionage campaign.

The hackers-for-hire also work to steal their targets’ credentials, either through spearphishing or by purchasing them on the dark web, according to BlackBerry.

The CostaRicto mercenary operation is part of a growing trend of hack-for-hire shops doing the bidding of malicious actors around the world documented by researchers. One such shop, known as Bahamut, has been using malicious applications, disinformation, and software flaws to surveil targets in the Middle East and South Asia, for instance, according to previous BlackBerry research. An Indian cybersecurity firm known as BellTroX has also been conducting cyber-operations for clients, according to Citizen Lab. Other India-based cybersecurity contractors have also been acting as mercenary hackers for years, according to the Electronic Frontier Foundation.

Well-resourced businesses and government-backed actors who want to mask their involvement in surveillance operations, as well as entities who lack hacking skills, all may have an interest in taking advantage of these kinds of hack-for-hire shops, BlackBerry researchers said.


“Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary — it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor,” BlackBerry researchers write.

Like many of the other hacker-for-hire operations, this one appears to have been operational for at least many months, according to BlackBerry. While the earliest timestamps for the custom backdoor date to October of last year, the timestamps on the payload stagers, which date to 2017, could suggest a longer-running operation.

Security researchers have long been calling for the global community to do more to rein in hacking-for-hire operations around the world. Earlier this week the European Parliament announced it had reached an agreement that would place stricter controls on the export of spyware outside of the European Union, suggesting the norms on outsourcing surveillance operations could be on the cusp of changing.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts