‘Dark Basin’ is said to have targeted nonprofit groups battling Exxon Mobil

Hackers for hire have targeted thousands of individuals as part of campaigns against environmental advocacy groups, journalists, and others, according to a report produced by Citizen Lab, the University of Toronto’s cybersecurity watchdog group. Citizen Lab dubbed the group behind the campaigns “Dark Basin,” noting that it specifically targeted climate-change organizations who were campaigning against Exxon Mobil.

The report concludes that the campaigns represent “a clear danger to democracy” and could allow powerful organizations to target their opponents. “The extensive targeting of American nonprofits exercising their first amendment rights is exceptionally troubling,” Citizen Lab’s report says. The group has provided its information to federal prosecutors who are investigating the hackers and who hired them, The New York Times reports.

Environmental groups campaigning against Exxon Mobil appear to have been a frequent target of the hackers, with individuals associated with these groups receiving numerous phishing emails attempting to steal their credentials. These include the Rockefeller Family Fund, the Climate Investigations Center, and Greenpeace. The timing of phishing emails coincided with key events in the campaign, and their contents appear to reference Exxon Mobil. One screenshot shared by Citizen Lab shows a phishing message alleging to be a Dropbox link to a file called “ExxonMobile(confidential).docx,” and in other cases campaigners received fake Google News updates about Exxon Mobil.

Exxon Mobil has not been accused of any wrongdoing, and Citizen Lab does not attribute the campaign to any specific sponsor. In a statement, Exxon Mobil told The Verge that the company “has no knowledge of, or involvement in, the hacking activities outlined in Citizen Lab’s report.” It said that any suggestion of wrongdoing by Exxon Mobil in the report is not supported by any evidence.

Citizen Lab began investigating the hackers for hire after a journalist was hit by phishing attempts in 2017. Investigating the specific URL shortener, which the researchers say is “rarely seen,” revealed a huge phishing network that appeared to be targeting individuals and organizations around the globe. As well as nonprofits and journalists, targets also included lawyers, government officials, and energy sector executives, the report says.

Citizen Lab believes that the campaign has been carried out by an Indian-based company which previously advertised “ethical hacking” services via its website. It notes that similar operations have previously been hired via intermediaries like law firms and private investigators, which distances their work from their clients.

The New York Times reports that one individual, who ran an Israeli-based, private investigations company, has already been arrested as a result of the federal investigation. He has pleaded not guilty and plans to fight the charges.