In this talk, we put a cyber mercenary into the spotlight. This cyber mercenary does not have a shiny brochure or office, but it advertises services in underground forums like Probiv. We will detail campaigns of this actor we track as "Void Balaur" spanning 2016-2021. Some of these campaigns had a significant impact on targets' lives, for example in Uzbekistan and Belarus.
Void Balaur came to our attention in Spring 2020. We were contacted by a frequent target of Pawn Storm (APT28). His spouse received a dozen phishing emails and he wanted to know who the sender was. We soon related these phishing emails to Void Balaur, but we needed 6 more months of research to reach high confidence attribution. Using billions of passive DNS records and Trend Micro's telemetry we found more targets, and related campaigns between 2016 and 2019. Some of these campaigns were reported on earlier by Amnesty International (2020) and eQualit.ie (2019), but without attribution.
In fall 2020 we found out that somebody was hiding behind the eleos.tk VPN network and using a customer system to access control panels of Void Balaur. These control panels appeared not to be protected by any authentication. From that moment on we could attribute old and new campaigns of Void Balaur with high confidence.
We uncovered more than 1000 targets. These included oligarchs, CEOs, politicians and human rights activists, some of which had to flee their home country. We found a small, but clear overlap with the targeting of Pawn Storm. This shows that political and corporate espionage motivated attackers found their way to this cyber mercenary.
International regulations are not there to protect targets of cyber mercenaries. Therefore, we discuss how journalists, human rights activists and other targets can protect themselves better against APT attackers and cyber mercenaries.