A new group of cyber mercenaries targets businesses, journalists — including some in Russia

The group shares some similarities with Fancy Bear, but is a separate organization, Trend Micro found.
Police officers wearing face masks guard in terminal F at Moscow's Sheremetyevo airport on April 4, 2020. (Photo by YURI KADOBNOV/AFP via Getty Images)

Trend Micro said on Wednesday it has discovered a new Russian-language cyber mercenary group that has been going after targets ranging from Russian businesses to journalists and politicians.

Researchers discovered the group after a long-time target of Pawn Storm, a hacking group connected to Russian intelligence, also known as Fancy Bear and APT28, said in March of 2020 that hackers targeted his wife with phishing emails. Trend Micro found that the indicators didn’t match Pawn Storm, and attributed the attacks to another Russian-language group it named Void Balaur.

Unlike APT28, Void Balaur appears to be an independent group willing to hack into the emails of targets as diverse as aviation companies in Russia to human rights activists in Uzbekistan, according to Trend Micro.

“Their targets are really a mixed bag,” lead researcher Feike Hacquebord said in an interview. “It looks like a lot of different customers are using them and that that matches with our impression that they are actually a cyber mercenary that can just be hired by about anyone.”


The research highlights the growing and unchecked cyber mercenary industry, one that has sparked political and human rights concerns. While nations may see cyber mercenary services as a state asset, hacker-for-hire organizations can easily be turned on their home country, researchers warn.

Russian hackers, such as ransomware groups, tend to operate with impunity within the region because of a tacit agreement with the Russian government not to attack Russian targets. Those agreements are less stringent when it comes to stealing and selling Russian individuals’ personal data, which proliferates on Russian-language forums, Hacquebord said.

So far, TrendMicro researchers have uncovered more than 3,500 targets of the group. The hackers largely focus on organizations that can provide large sets of personal data, including mobile operators and in vitro fertilization clinics.

“Our research revealed a clear picture: Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it,” Hacquebord wrote in the report.

Data sold by the group, which advertises under the name “Rockethack” on Russian-speaking underground forums, includes Russian passport information, Russian airport passenger data, Interpol records and Russian tax records. Trend Micro named the hackers Void Balaur after a multi-headed monster of Eastern European folklore, symbolizing the many goals for which they’re apparently hired.


In addition to corporate espionage, Void Balaur has launched major campaigns against political targets. In September,  researchers found that the group “targeted the private email addresses of a former head of an intelligence agency, five active government ministers (including the minister of defense) and two members of the national parliament of an Eastern European country.”

TrendMicro also with “medium confidence” ties Void Balaur to espionage against Uzbek journalists and activists, a campaign that traces back to a year before Void Balaur first started advertising online in 2017.

United Nations experts on Friday released a report raising an alarm about “mercenary-related activities in cyberspace” and urged states against recruiting, financing and training such individuals.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts