Researchers identify ‘cybermercenary’ group behind dozens of hacks

Hacking groups aren’t always divided between state sponsorship and strictly personal gain. Sometimes, they’ll work for any customer with a large-enough bank account. The Record reports that Trend Micro has identified Void Balaur, a “cybermercenary” group that has struck both political and commercial targets since 2015. It primarily steals data to sell to whoever’s willing to pay, whether that’s a government or a fraudster.

Void Balaur was initially linked to attacks against human rights activists and journalists in Uzbekistan. More recently, it attacked Belarusian presidential candidates in 2020 and several political leaders in an unnamed Eastern European country. However, the hacking outfit also targeted executives and directors at a very large Russian company between 2020 and 2021, and has been attacking and selling data from telecoms, banks and cryptocurrency users. The group has been linked to the on-demand hacking site RocketHack.me.

It’s not clear just where Void Balaur operates from, or whether it has official government support. There’s some overlap between Void’s targets and those of the Russia-backed APT28 (aka Fancy Bear or Pawn Storm), but not enough to establish a clear link. And while the group has only ever advertised its services on Russian-language sites, it’s not necessarily operating from Russia. We’d add that Russia usually turns a blind eye to cybercriminals only so long as they don’t attack Russian interests — Void doesn’t have problems attacking Russian businesses.

The study illustrates the difficulty in pinpointing the nature of some hackers, let alone catching them. Cybermercenaries also pose a particularly severe threat as they’re often happy to attack any target without reservations. It won’t be surprising if there are more groups like Void Balaur that have simply gone undetected.