A guard stands watch outside the Saudi Embassy building in Washington, U.S., October 5, 2020. (REUTERS)
The report on the group, known publicly as Bahamut, the name assigned to the mythical sea monster of Arab lore, highlights how cybersecurity researchers are increasingly finding evidence of mercenaries online.
BlackBerry's vice president of research, Eric Milam, said the diversity of Bahamut's activities was such that he assumed it was working for a range of different clients.
"There's too many different things going on across too many different ranges and too many different verticals that it would be a single state," Milam said ahead of the report's release.
In June, Reuters reported on how an obscure Indian IT firm called BellTroX https://www.reuters.com/article/idUSKBN23G1GQ offered its hacking services to help clients spy on more than 10,000 email accounts over seven years, including targeting prominent American investors.
BlackBerry - which absorbed antivirus firm Cylance in 2019 - stitched together digital clues left by other researchers over the years to create a picture of a sophisticated group of hackers. BlackBerry also linked the group to mobile phone applications in the Apple and Google app stores. Those apps, which included a fitness tracker and password manager, may have helped the hackers track their targets, the report said.
Apple declined to comment on the record. Two of the apps flagged by Blackberry are no longer in the Apple App Store though. A Google spokesman said all the apps in the Google Play Store mentioned in the report had been removed.
Milam declined to comment on who he thought might be behind Bahamut, but he said he hoped the report would help to sharpen the focus on hackers-for-hire. Taha Karim, the chief executive of Emirati cybersecurity company tephracore - who wasn't involved in BlackBerry's research but reviewed the report ahead of publication - said the findings were credible and "they found links that aren't obvious."
BlackBerry did not name any of Bahamut's targets directly, but researchers have previously publicly identified Middle Eastern human rights activists, Pakistani military officials, and Gulf Arab businessmen as being in the group's crosshairs. Reuters was also able to identify new targets by cross-referencing data published in BlackBerry's report with boobytrapped webpages preserved by urlscan.io, a cybersecurity tool.
One heavily targeted organization included the New York-based Sikhs for Justice, a separatist group that's campaigning for an independent homeland for Sikhs in India. Its founder, Gurpatwant Singh Pannun, said his campaign websites have been repeatedly hacked and his emails broken into.
Others pursued by the hackers included: The United Arab Emirates' Ministry of Defense, its Supreme Council for National Security, and Shaima Gargash, the Emirates' No. 2 diplomat in Washington.
In an email, Gargash said the embassy had no comment.
Saudi officials were also targeted by the hackers. Cached phishing pages preserved by services such as urlscan and reviewed by Reuters showed that the cyber spies targeted Mawthouq, the Saudi government's email service, half a dozen Saudi government ministries, and the Saudi Center for International Strategic Partnerships, a Riyadh-based body aimed at helping coordinate the petrostate's foreign policy.
The Saudi Embassy in Washington did not respond to requests for comment.
The hackers pursued royals and business executives in Bahrain, Kuwait, and Qatar. In August 2019 they attempted to compromise an employee of major Indian energy conglomerate Reliance Industries around the time that the company was negotiating the sale of a stake in its oil-to-chemicals business to Saudi Aramco.
Reliance did not return repeated messages. Attempts to reach the hackers were unsuccessful.