A Russian-speaking hacker group for hire has access to the personal online communications of 3,500 prominent individuals. These individuals include presidential candidates, journalists and human rights activists. The group mainly focuses on Gmail, Protonmail and Telegram accounts.
This is what the Dutch cybersecurity researcher Feike Hacquebord told during the Black Hat Europe Conference 2021. He has been following the hacker group called RocketHack for months. Discovered a webpage in October 2020 that the group uses to monitor victims.
RocketHack has infiltrated the email and Telegram accounts, computers and Android phones of as many as 3,500 individuals over the past four years. The victims range from journalists, human rights activists and politicians to telecom engineers and IVF doctors.
Hacquebord’s discovery proves that not only companies like Israel’s NSO Group conduct hacks for the government. There is also an underground industry of hacker collectives that tap everyone’s digital information at the right price; whether it be a politician or a jealous husband.
How RocketHack works
RocketHack’s revenue model is simple, says Hacquebord. The group “goes after the most private and personal data of companies and individuals and then sells that data to whoever is willing to pay for it.” RocketHack doesn’t stop at emails. Phone logs of cell towers, flight data and bank details are also for sale.
The most common hacking method RocketHack uses is phishing. Members send emails with links to fake login pages from Google Gmail, Protonmail and Telegram, among others.
Gaining access to someone’s Protonmail account is the most expensive hack of the three. For this, someone quickly has to pay 50,000 rubles or 612 euros. Access to someone’s Gmail costs just $490.
RocketHack also makes attacks that are only for financial gain. For example, the group has multiple phishing websites for cryptocurrency trading and cryptocurrency wallets. The most notable crypto trading website is Exmo. This is where RocketHack didn’t just go after customers for the past year. The company management was also victimized.
In addition to phishing, the hacker group also sells malware and spyware for Android and Windows devices. RocketHack’s spyware is able to monitor your messages on Whatsapp, record phone calls and track your location.
The hackers behind the group
RocketHack members speak Russian. Yet their origin remains a mystery. The group first came to light in 2017 when it offered hacks for a fee for the chat service Jabber, a service mainly targeting VKontakte. This social networking site is most popular in countries that used to be part of the Soviet Union.
From this, Oleg Dyorov, research leader at the cybersecurity firm Group-IB in Singapore concludes: “[It gives] reasons to believe that the attacker may have come from the post-Soviet region and have his customers there.”
Hacquebord informs law enforcement
Even now, the hacker group remains active. Hacquebord: “There are maybe a dozen new victims every day.” However, the researcher has only informed a few victims about the hacks.
He does intend to inform the police, although he does not know what impact this will have. Hacquebord: “I think many countries see their cyber mercenaries in their own region as a national asset. So it’s hard to tell them to just stop.”
Catch up on more articles here
Follow us on Twitter here