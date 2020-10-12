With seemingly little pattern to their attacks, most countries in the Middle East have been the victim of this secretive hacker group. Their well-planned attacks have targeted Turkey, Qatar, Pakistan, Iran, Egypt, and Saudi Arabia; with considerable attention to targeting activists, journalists and human rights organisations.

The group’s name Bahamut, refers to a gargantuan sea monster in ancient Arab mythology, where the earth rests on the head of a bull, standing on the Bahamut, which is in turn held up by an angel. The mythical name passed into English, becoming the root for the word ‘behemoth’.

The group regained notoriety after Blackberry released a report on the group detailing its methods, capabilities and broad reach. The report also warned against rising cyberwarfare capacities in a rapidly changing Middle East.

The Blackberry report built on a number of previous reports detailing hacks that started as far back as 2016. Given the broad range of targets, and diverse interests, Blackberry researchers concluded that the group was likely a mercenary group for hire “reflecting a skill-level well beyond most other known threat actor groups.”

The group uses a variety of methods, including zero-day exploits (weaknesses the designer of a computer or phone is unaware of) and intelligent phishing campaigns, which present fake versions of websites or official text messages to a user, while prompting them to enter their username and password.

Blackberry reports that Bahamut has also designed compromised phone apps, with near perfect websites including privacy policies and terms of service. These included video streaming services, call recording, music, prayer time, chat, vpn and Quran apps.

One particular strength of theirs is fake news, with a demonstrated ability to create fake activist and journalist personas and profiles and set up entire fake news websites providing actual news, with subtle misinformation.

Murky waters

From when it first surfaced in 2016, Bahamut has adopted a number of names, with Blackberry researchers finding strong similarities between its many aliases. For instance, under the guise of The White Company, it attacked Pakistani security interests and newspapers.

The report poses serious questions however, between possible parallels between the group and the United Arab Emirates.

First, Bahamut’s rise occurred in the same year that the UAE began building its nascent cyberwarfare capacities. It’s infamous DarkMatter tech group was the final version of Project Raven, which used former US National Security Agency employees to spy on and hack governments, human rights activists and American citizens.

In 2016, and 2017 Project Raven would break into hundreds of iPhones and computers around the world, including individuals in the governments of Qatar, Turkey, Yemen and Iran.

In the same vein, the UAE would play a key role in brokering a deal between Saudi Arabian representatives of Crown Prince Mohammed bin Salman, and the NSO Group, an Israeli intelligence and surveillance company with deep political ties.

The deal netted Saudi Arabian intelligence’s use of Pegasus, a hacking software capable of cracking previously secure Macbooks and iPhones. Both the UAE and Saudi Arabia made full use of their new capacities, hacking journalist Jamal Khashoggi’s phone prior to his murder, as well as a broad array of dissidents, enemies and political opponents.

While the UAE’s ties to Israeli NSO group stretch back as far as 2013, their introduction to Saudi Arabia took place months before MBS’s infamous purge in 2017, which saw 159 Saudi princes and business leaders imprisoned in the Ritz Carlton.

Coincidence or correlation?

One of Bahamut’s aliases, Windswept was was exposed by Dark Matter analyst and security researcher Taha Karim, a French national of North African descent. His report expands on how Windswept had the capacity to use zero-day exploits on Apple phones and computers, well after the company he worked for had established its use of the same techniques on dissidents, activists and political opponents.

While it remains uncertain if Karim was aware of complete ongoings in his company, a striking parallel exists between the two groups who were using the same hacking methods on some of the same targets at the time.

But the coincidences only increase.

Qatar crisis