Worst-case global heating scenarios may need to be revised upwards in light of a better understanding of the role of clouds, scientists have said.
Recent modelling data suggests the climate is considerably more sensitive to carbon emissions than previously believed, and experts said the projections had the potential to be “incredibly alarming”, though they stressed further research would be needed to validate the new numbers.
Modelling results from more than 20 institutions are being compiled for the sixth assessment by the United Nations Intergovernmental Panel on Climate Change, which is due to be released next year.
Compared with the last assessment in 2014, 25% of them show a sharp upward shift from 3C to 5C in climate sensitivity – the amount of warming projected from a doubling of atmospheric carbon dioxide from the preindustrial level of 280 parts per million. This has shocked many veteran observers, because assumptions about climate sensitivity have been relatively unchanged since the 1980s.
“That is a very deep concern,” Johan Rockström, the director of the Potsdam Institute for Climate Impact Research, said. “Climate sensitivity is the holy grail of climate science. It is the prime indicator of climate risk. For 40 years, it has been around 3C. Now, we are suddenly starting to see big climate models on the best supercomputers showing things could be worse than we thought.”
He said climate sensitivity above 5C would reduce the scope for human action to reduce the worst impacts of global heating. “We would have no more space for a soft landing of 1.5C [above preindustrial levels]. The best we could aim for is 2C,” he said.
Worst-case projections in excess of 5C have been generated by several of the world’s leading climate research bodies, including the UK Met Office’s Hadley Centre and the EU’s Community Earth System Model.
Timothy Palmer, a professor in climate physics at Oxford University and a member of the Met Office’s advisory board, said the high figure initially made scientists nervous. “It was way outside previous estimates. People asked whether there was a bug in the code,” he said. “But it boiled down to relatively small changes in the way clouds are represented in the models.”
The role of clouds is one of the most uncertain areas in climate science because they are hard to measure and, depending on altitude, droplet temperature and other factors, can play either a warming or a cooling role. For decades, this has been the focus of fierce academic disputes.
Previous IPCC reports tended to assume that clouds would have a neutral impact because the warming and cooling feedbacks would cancel each other out. But in the past year and a half, a body of evidence has been growing showing that the net effect will be warming. This is based on finer resolution computer models and advanced cloud microphysics.
“Clouds will determine humanity’s fate – whether climate is an existential threat or an inconvenience that we will learn to live with,” said Palmer. “Most recent models suggest clouds will make matters worse.”
In a recent paper in the journal Nature, Palmer explains how the new Hadley Centre model that produced the 5+C figure on climate sensitivity was tested by assessing its accuracy in forecasting short-term weather. This testing technique had exposed flaws in previous models, but in the latest case, the results reinforced the estimates. “The results are not reassuring – they support the estimates,” he wrote. He is calling for other models to be tested in a similar way.
“It’s really important. The message to the government and public is, you have to take this high climate sensitivity seriously. [We] must get emissions down as quickly as we can,” he said.
The IPCC is expected to include the 5+C climate sensitivity figure in its next report on the range of possible outcomes. Scientists caution that this is a work in progress and that doubts remain because such a high figure does not fit with historical records.
Catherine Senior, head of understanding climate change at the Met Office Hadley Centre, said more studies and more data were needed to fully understand the role of clouds and aerosols.
“This figure has the potential to be incredibly alarming if it is right,” she said. “But as a scientist, my first response is: why has the model done that? We are still in the stage of evaluating the processes driving the different response.”
While acknowledging the continued uncertainty, Rockström said climate models might still be underestimating the problem because they did not fully take into account tipping points in the biosphere.
“The more we learn, the more fragile the Earth system seems to be and the faster we need to move,” he said. “It gives even stronger argument to step out of this Covid-19 crisis and move full speed towards decarbonising the economy.”
America's top cop is a rightwing culture warrior who hates disorder. What could go wrong?
Lloyd Green William Barr forged his worldview fighting protesters in the 1960s. Now he’s masterminding the US government’s crackdown on unrest
Sat 6 Jun 2020
‘Barr and the pro-Vietnam crowd lost that battle, but hoped to win the war. Now, in the Trump presidency, history has offered Barr a kind of do-over.’ Photograph: Oliver Contreras/EPA
M
aybe the 1960s never ended. Police, protesters and rioters once again fill our rage-filled streets and television screens. Amid a pandemic that has already claimed over 100,000 lives, a cultural divide that burst into flames more than a half-century ago is back – and burning furiously.
Earlier this week, Donald Trump seemed to morph into Richard Nixon, America’s self-proclaimed “law and order” president who resigned in disgrace. The cameras rolled as a Bible-brandishing president threatened to send US troops into America’s cities. As Trump stood in front of an Episcopal church near the White House, teargas canisters and flash-bang grenades exploded nearby.
In his inaugural address in 2017, Trump vowed to restore what he characterized as American greatness, strength, and safety. In William Barr, the US attorney general, Trump has a powerful and determined partner. It was Barr who personally ordered military police to clear peaceful protesters from around the White House, and Barr who is reportedly advocating an intense “flood the zone” show of authority. “The president sees Barr as the ‘bad cop’ he can unleash if states and cities don’t get their act together,” an administration official toldthe Daily Beast.
Both men aim to turn back the clock to a time when everyone “knew their place”. But where Trump has been a bumbling, self-interested and ideologically erratic leader – a weak man’s strongman – Barr is smart, dedicated and disciplined. He understands how to wield power and holds a consistent worldview. He’s an aggressive advocate for executive power and the police – who happens to be America’s top law enforcement officer at the same time as unrest roils the country.
“Barr is vastly more intelligent than Donald Trump,” Stuart Gerson, a former colleague of Barr’s, recently told the New York Times Magazine. “What Trump gives Bill Barr is a canvas upon which to paint. Bill has longstanding views about how society should be organized, which can now be manifested and acted upon to a degree that they never could have before.” (Gerson was my boss when I worked at the US Department of Justice from 1990 to 1992. Barr was head of the department from November 1991 to January 1993.)
Trump and Barr are close in age. Both grew up during the Vietnam war and the 1960s- and 1970s-era unrest. But where young Trump’s “personal Vietnam” involved dodging syphilis, avoiding the draft, “bone spurs” and apprenticeship in his father’s growing real estate empire, Vietnam, for young “Billy” Barr, was different. The war was part of his family’s reality.
Barr’s older brother was in Vietnam, fighting in the navy. Barr’s father had served in the army during the Second World War and was a member of the Office of Strategic Services, the forerunner to the Central Intelligence Agency.
As a Columbia undergraduate, Barr stood fast against the anti-war protesters who sought to bring the university to its knees. Back then, the operative divide was “Staten Island v Scarsdale” – conservative, often Catholic, students from the blue-collar New York City outer borough versus liberal, often Jewish, students from affluent suburbs. Barr, though far from working-class, was firmly planted in the first camp.
At the time, radical leftwing activists such as Berkeley’s Mario Savio argued that people of conscience must throw themselves against the machinery of the state. Barr, in contrast, saw himself as holding the line against anarchy and disorder. When protesters attempted to storm the university library, Barr and a group of counter-protesters blocked them. The standoff, according to the New York Times, was resolved by a massive fistfight. The counter-protestors won.
Ultimately, however, Barr’s side of the student culture war lost. Nixon, though an anti-communist, knew the American public’s appetite for the war was rapidly depleting. He pulled America out of Vietnam after 20,000 US soldiers were killed on his watch.
When Saigon fell and the draft ended, the two sides of the culture war retreated to their respective corners. Leftist students started their “long march through the institutions” – academia, journalism and the cultural sphere.
And Barr and the pro-Vietnam crowd started their own long march, too. Barr briefly served in the CIA as an analyst and then in the agency’s legislative counsel’s office, where he met George HW Bush, then helming the agency. When Bush was later elected president, in 1988, Barr joined the administration and rapidly rose to the top of the justice department, where he served his first tenure as attorney general. A profile at the time described Barr as a “bookish-looking son of educators who speaks with a muted New York accent”, and extremely effective.
During the 1992 Los Angeles riots following the Rodney King verdict, Barr argued that “our system is fair and does not treat people differently”. He conceded that “our national criminal-justice system is a diverse [and] broad one”, with cases of individual bias, but that “taken in its totality, the system seems to operate fairly”. He blamed the riots mainly on opportunistic gang violence.
After two days of rioting, Bush and Barr invoked the Insurrection Act at the request of California’s Republican governor, Pete Wilson. The statute is a rarely-used provision that permits the president to use federal military forces for domestic law enforcement, which is normally illegal. Together with the national guard, the US army and marines deployed to LA and helped restored order.
Today the US faces a situation akin to the 1992 riots, not to mention the 1960s clashes over Vietnam. Barr and the pro-Vietnam crowd lost that battle, but hoped to win the war. Now, in the Trump presidency, history has offered Barr a kind of do-over.
In the New York Times, Gerson, Barr’s former justice department colleague, characterized Barr as “hierarchical” and “authoritarian” in outlook, committed to the premise that “a top-down ordering of society will produce a more moral society”.
In speeches, Barr, a traditionalist Catholic, has railed against “militant secularists”, who seek “to mitigate the social costs of personal misconduct and irresponsibility”.
Barr and many conservatives of his generation remember the 1960s cultural revolution as a kind of traumatic rupture in US history – a Pandora’s box that unleashed decadence, sexual permissiveness and rebelliousness, and led to the atomization of society and the decline of the family unit. The results, as they see it, were leftist militancy, drug addiction, out-of-wedlock childbirth and a decoupling of religion from society. For a certain kind of conservative, undoing that legacy has been a decades-long political project.
In the long term, Trump’s real legacy as president may be the stamp he puts on the federal judiciary. The judges he has appointed – 193 so far, including two supreme court justices – are already wading into fierce legal disputes concerning abortion, immigration, sexual orientation and other issues. Their rulings will reverberate long after Trump leaves office. His judicial nominations are frequently drawn from the ranks of the Federalist Society, a conservative legal organization founded in the early 1980s at the Harvard, Yale and University of Chicago law schools as a counterweight to what its members perceived as the liberal orthodoxies prevalent at the leading law schools.
The Federalist Society and its supporters, including Barr, frame themselves as favoring strict readings of the constitution; in practice, however, they have frequently pushed for the expansion of executive power. One particular target of their hostility is the 1973 War Powers Act, Congress’s attempt to reassert itself after the debacle of Vietnam and rein in the war-making powers of the president.
In 2001, looking back at the Gulf war and his advice as attorney general to then president George HW Bush, Barr recalled: “I believed that the president did not require any authorization from Congress, and I believed that the president had constitutional authority to launch an attack against the Iraqis.”
Now the battlefield is urban America. Trump has threatened to use the US military to quell unrest. This week an army airborne division was moved near Washington DC, for a possible deployment as a militarized adjunct to domestic law enforcement, though the Pentagon reversed the decision.
In his public statement about the current unrest, Barr has said: “It is time to stop watching the violence and to confront and stop it.” He added that “violence instigated and carried out by antifa” is “domestic terrorism and will be treated accordingly”.
Perhaps everything has come full circle: for Barr, this is one last fight to get it “right”.
An attorney in New York, Lloyd Green was opposition research counsel to George HW Bush’s 1988 campaign and served in the Department of Justice from 1990 to 1992
The corporations now signaling support for Black people are part of the problem
Rashad Robinson Suddenly even Fortune 500 companies are woke. Let’s make sure that politicians and corporations actually follow through Thu 11 Jun 2020
‘The conversation on race rarely picks up where it last left off. And it usually includes white conservatives quoting Dr Martin Luther King Jr back to us.’ Photograph: Vanessa Carvalho/Rex/Shutterstock
F
or many people in power, especially corporations, their biggest fear is not whether protesters on the street will break through a line of police. It’s whether the conversation about racism will break through on issues beyond policing and draw uncomfortable attention to issues such as corporations’ role in mass incarceration, the abuse Black workers face, and the racism in our healthcare system that routinely kills Black people.
We must win real structural change in our criminal justice system. But not just because its impact is so destructive and its takeover of Black communities is so unjust. We need to win on criminal justice because it will lay the foundation for what activism looks like, and set the standards for what justice looks like, which we can then apply to fighting the corporate takeover of our lives.
Every time I see an act of violence against Black people hit the news, or see issues of race come up in public debate, my first reaction is to shake my head, hold my heart and push myself to find a way to fight ever harder and smarter for racial justice. And then I always wonder: After all this time, is it even possible for America to actually learn anything? Black people are doing so much teaching, but is anybody learning? The conversation on race rarely picks up where it last left off. It always seems to revert to the conversation we were having 30 years before. And it usually includes white conservatives quoting Dr Martin Luther King Jr back to us.
As millions of people rise up to fight racism in America right now, however, I am getting a very different feeling. It feels like America is actually learning something about race. Not necessarily about what we need to do to end racism, or even the full extent of its harm.
But at least the truth of Black experiences: the attacks on freedom and wellbeing that Black people face every day in this country at the hands of police and prosecutors, and also at the hands of bankers, doctors, employers and so many others. The truth of systemic racism.
But that question leads to another, even more important, one: After falling in love with the dream of change, will America fall for false solutions? That’s where corporations come in. They run the factories that manufacture false solutions en masse. They want us to take “we care for you” for an answer. They want us to take body cameras for an answer. Corporations are one of the biggest threats to the protests taking place, though they are not on the street trying to stop them.
We’re seeing a lot of hypocrisy right now. George W Bush said that it “remains shocking” that Black people are “harassed and threatened in their own country” even though he himself, and his father, had appalling records on race and racism, and on Black lives. In a similar manner, corporations are now jumping over one another to message their support for Black people. A cottage industry of advisers provide guidance for how they should best do so, even as the cries of hypocrisy ring loud and ring true.
For people who want change, this is exactly what we must figure out how to counteract. It’s time to convert protests against police in the streets to fights against prosecutors, including at the ballot box. It’s also time to convert diversity and inclusion programs within corporations into anti-racist taskforces with the authority to make change. It’s also time that we end the abuse and silencing of Black workers by corporations like Amazon, as well as force them to reckon with their role in racist policing.
One thing we know: in order to do that, we have to take control of the story. Both corporations speaking out, and the incredible pushback they’ve received, are happening for a reason. It’s because we built the infrastructure to influence and organize the conversation on race. We’ve given people language to talk about racism and privilege. We’ve given people ideas for thinking about ending policing as we know it, rather than slightly reforming but mostly accepting the status quo of policing. We’ve given people history lessons, connecting the attacks we’re seeing today to the history of attacks on Black communities, from the Red Summer to the Tulsa Massacre: both took place a hundred years ago and both are instances of police serving the agenda of white supremacy rather than protecting people against it.
All of these groundbreaking analyses and solutions originated in Black communities. But much like the police themselves, these conversations could easily get out of control and be used against us. That will require calling out corporations for their injustices, and rallying as many people to fight their abuses as the millions we’ve seen rally around George Floyd. It will require more petitions and marches, and more donations and acts of defying complicity at work and among friends – from everyone, of every identity.
This is the moment for racism in America that’s very similar to the recent shift in the fight against climate change: many defenders of the status quo have now conceded climate change is real, but they still fight every move to actually do something real about it. It’s an opportunity but also a challenge. Our biggest mistake would be to be so focused on fighting the denial we have been fighting for decades that we forget to ensure that politicians and corporate executives actually make good on the recognition they’re now so readily offer. We must recognize the protests we see today as just the beginning.
Rashad Robinson is the president of Color Of Change and a Guardian US columnist
Three years ago, several environmental groups noticed that they had been receiving suspicious emails with fake Google News articles and other links related to their climate-change campaign against Exxon Mobil. The emails came from accounts that impersonated their own colleagues and lawyers.
Those phishing emails have now led to a federal criminal investigation into a sprawling hacking-for-hire operation that for years has targeted the email accounts of government officials, journalists, banks, environmental activists and other individuals, according to people briefed on the inquiry.
As part of the investigation, federal prosecutors in Manhattan conducted interviews earlier this year with environmental groups that received the emails, including the Rockefeller Family Fund, some of the people familiar with the inquiry said.
Prosecutors are investigating the hackers behind the operation and who hired them, the people said, speaking on the condition of anonymity so they could discuss an ongoing investigation. Exxon Mobil has not been accused of any wrongdoing.
Details of the hacking campaign were made public on Tuesday in a report by Citizen Lab, a cybersecurity watchdog group at the University of Toronto. The report said that thousands of people on six continents had been targeted by phishing emails for at least four years in the same operation.
Citizen Lab has provided its information to federal prosecutors in Manhattan to assist them in their criminal investigation. A spokesman for the United States Attorney’s Office in Manhattan declined to comment.
The investigation, along with Citizen Lab’s findings, pointed to a growing hacker-for-hire industry used by individuals and companies to target the email accounts of their adversaries.
“In our investigation, we determined that hiring hackers may be a relatively common practice for many private investigators,” said John Scott-Railton, the report’s lead author. “The sheer scale of it is remarkable to us.”
The phishing emails were sent to a wide range of targets, including government officials in multiple countries, pharmaceutical companies, law firms, hedge funds, banks, nonprofits and even people involved in divorce proceedings.
Citizen Lab’s report concluded with “high confidence” that the operation was carried out by a company in India, which the report said advertised “ethical hacking” services on its website and in social media.
Hacking companies based overseas are often hired through a series of intermediaries, such as law firms and private investigators, to mask the ultimate clients and give them plausible deniability, the Citizen Lab report said.
In this operation, the targets of the hacking were often “on one side of a contested legal proceeding, advocacy issue or business deal,” suggesting the hackers had been hired by customers seeking to collect information and private emails from their adversaries in criminal cases, financial transactions and other high-profile events, the report said.
Although thousands were targeted, Citizen Lab has not determined how many people clicked on the emails and exposed their accounts to hackers. The operation is believed to still be active, Mr. Scott-Railton said.
One of the most troubling findings, he said, was that phishing emails had been sent to dozens of journalists in the United States and around the world in an apparent attempt to figure out their sources.
Citizen Lab, which has helped victims of digital surveillance, began its investigation in 2017 after a journalist received a suspicious email and brought it to the group’s attention.
The group then uncovered thousands of other targeted individuals bearing the same digital fingerprints and provided the information to the federal prosecutors.
Citizen Lab’s report said a large group of targets in the hacking campaign were American nonprofit groups that had been battling publicly with Exxon Mobil for years over whether the oil company engaged in an effort to mislead the public about climate science, which the company has denied.
Some of the phishing emails were tailored to the organizations’ work on Exxon and climate change, the report said. For instance, multiple emails invited recipients to click on links to fake Google News articles about Exxon, and many of the messages were sent from email accounts impersonating people involved in the advocacy campaign against Exxon, including lawyers.
The report did not accuse Exxon Mobil of wrongdoing and said Citizen Lab had no strong evidence linking the hacking to a corporate sponsor. A spokesman for Exxon Mobil said in a statement that the company “has no knowledge of, or involvement in, the hacking activities outlined in Citizen Lab’s report.”
One person has already been arrested as part of the federal criminal investigation: a man who ran a private investigations company in Israel. He was taken into custody last year after he traveled to Florida for a family vacation.
The indictment alleged that he worked with unnamed co-conspirators who sent phishing emails that allowed them to successfully penetrate certain electronic accounts in 2017 and 2018, including ones that belonged to an unnamed victim in New York.
One of the co-conspirators invited Mr. Azari to India to “conduct business meetings with our senior management,” the indictment said.
Mr. Azari, who served in the 1990s in an Israeli police unit that focused on covert surveillance, was one of the most sought-after private investigators in Israel, according to two clients who said they had used his services several times. He was often hired by customers to gather intelligence about their business competitors, according to a friend of Mr. Azari.
The charging documents against Mr. Azari did not identify his clients. He has pleaded not guilty.
His lawyer, Barry S. Zone, said Mr. Azari maintains his innocence.
“We look forward to addressing the charges in due course,” Mr. Zone said, adding that his client has not entered into any cooperation agreement with the government.
This report will be followed by additional forthcoming reports providing a more comprehensive overview of certain targets and technical indicators.
Key Findings
Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.
Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.
We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.
We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities.
Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign. At the request of several targets, Citizen Lab shared information about their targeting with the US Department of Justice (DOJ). We are in the process of notifying additional targets.
Introducing Dark Basin
We give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, we link Dark Basin to BellTroX InfoTech Services (“BellTroX”), an India-based technology company.
Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific clusters of targets and Dark Basin’s activities.
Thousands of Targets Emerge
In 2017, Citizen Lab was contacted by a journalist who had been targeted with phishing attempts and asked if we could investigate. We linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links.
We subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group, which we call Dark Basin. Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing e-mail addresses of targets.
We used open source intelligence techniques to identify hundreds of targeted individuals and organizations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting.
Our investigation yielded several clusters of interest that we will describe in this report, including two clusters of advocacy organizations in the United States working on climate change and net neutrality.
While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation. Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue, or business deal.
Research Collaborations & Official Notification
Dark Basin has targeted dozens of journalists in multiple countries. Citizen Lab has notified and worked with some of these journalists over the past three years to assist them in investigating this case. In addition, Citizen Lab has mutually shared indicators and technical information with researchers at cybersecurity company NortonLifeLock, who have been conducting a parallel investigation into Dark Basin, which they refer to as “Mercenary.Amanda.”
Many targets have also cooperated and assisted our investigation. At the request of multiple targets, Citizen Lab shared materials relevant to their targeting with the US DOJ.
Links to an Indian Operator
We link Dark Basin’s activity with high confidence to individuals working at an Indian company named BellTroX InfoTech Services (also known as “BellTroX D|G|TAL Security,” and possibly other names). BellTroX’s director, Sumit Gupta, was indicted in California in 2015 for his role in a similar hack-for-hire scheme.
Links to India
Timestamps in hundreds of Dark Basin phishing emails are consistent with working hours in India’s UTC+5:30 time zone. The same timing correlations were found by the Electronic Frontier Foundation (EFF) in a prior investigation of phishing messages targeting net neutrality advocacy groups, which we also link to Dark Basin.
Several of Dark Basin’s URL shortening services had names associated with India: Holi, Rongali, and Pochanchi (Table 1). Holi is a well-known Hindu celebration also known as the “festival of colours,” Rongali is one of the three Assamese festivals of Bihu, and Pochanchi is likely a transliteration of the Bengali word for “fifty-five.”
Table 1: Three of the URL shortener services used by Dark Basin.
Additionally, Dark Basin left copies of their phishing kit source code available openly online, as well as log files showing testing activity. The logging code invoked by the phishing kit recorded timestamps in UTC+5:30, and log files show that Dark Basin appeared to conduct some testing using an IP address in India.
Links to BellTroX
Along with our collaborators at NortonLifeLock, we have unearthed numerous technical links between the campaigns described in this report and individuals associated with BellTroX. These links lead us to conclude with high confidence that Dark Basin is linked to BellTroX.
We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners. They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including “Ethical Hacking” and “Certified Ethical Hacker.” BellTroX’s slogan is: “you desire, we do!”
Figure 1: BellTroX’s website claims a sprawling mixture of services, from “Cyber Crime Investigation” to “Psychology Transcription.”
On Sunday, June 7th 2020 we observed that the BellTroX website began serving an error message. We have also observed that postings and other materials linking BellTroX to these operations have been recently deleted.
Technical evidence of further links between BellTroX and Dark Basin are detailed in Appendix A. Indicators of Compromise are available in Appendix B.
Table 2: Excerpt from the CV (left) of an individual matching the name of a then-BellTroX employee (right) shared using a shortener link. The “Responsibilities” described match the activities of Dark Basin.
BellTroX’s Director and Previous Hack-For-Hire Schemes
Further, in 2015, the US DOJ indicted several US-based private investigators and an Indian national, Sumit Gupta (whom the DOJ notes also uses the alias Sumit Vishnoi), for their role in a hack-for-hire scheme. To our knowledge, Gupta was never arrested in relation to the indictment. An aggregator of Indian corporate registration data lists Sumit Gupta as the director of BellTroX, and online postings by a “Sumit Vishnoi” contain references to BellTroX. The actions described in that indictment, including the extensive relationships with private investigators, are similar to those we ascribe to BellTroX.
Dark Basin’s Connections to Private Investigators
We have observed Dark Basin’s activities over several years, including the social media activities and posts of individuals working at BellTroX. Some of the individuals listed on LinkedIn as working for BellTroX mention activities that indicate hacking capabilities.
BellTroX staff activities listed on LinkedIn include:
Email Penetration
Exploitation
Corporate Espionage
Phone Pinger
Conducting Cyber Intelligence Operation
BellTroX’s LinkedIn pages, and those of their employees, have received hundreds of endorsements from individuals working in various fields of corporate intelligence and private investigation.
BellTroX and its employees received endorsements from individuals listing themselves as:
An official in the Canadian government.
An investigator at the US Federal Trade Commission and previously a contract investigator for US Customs and Border Patrol.
Current local and state law enforcement officers.
Private investigators, many with prior roles in the FBI, police, military and other branches of government.
Despite a previous DOJ indictment of the BellTroX Director, as well as indictments in other hack-for-hire cases, the companies that provide these services publicly promote their activities.
This suggests that companies and their clients do not expect to face legal consequences and that the use of hack-for-hire firms may be standard practice within the private investigations industry.
A LinkedIn endorsement may be completely innocuous, and is not proof that an individual has contracted with BellTroX for hacking or other activity. However it does raise questions as to the nature of the relationship between some of those who posted endorsements and BellTroX.
Targeting American Nonprofits, Journalists
Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies. Troublingly, Dark Basin has extensively targeted American advocacy organizations working on domestic and global issues. These targets include climate advocacy organizations and net neutrality campaigners.
Targeting American Environmental Organizations
We discovered a large cluster of targeted individuals and organizations that were engaged in environmental issues in the US. In the fall of 2017, Citizen Lab made contact with these groups and began working with them to determine the nature and scope of the targeting.
We determined that these organizations were all linked to the #ExxonKnew campaign, which highlights documents that, the advocacy organizations argue, point to Exxon’s decades-long knowledge of climate change.
The New York Timesdescribes an intense legal battle between ExxonMobil, multiple states’ attorneys general, and organizations engaged in the #ExxonKnew campaign.
Targeted organizations consenting to be named in this report include:
At their request, we are not naming all targets within this cluster.
We provided the targets with search queries to find Dark Basin emails and instructed them on how to use these queries to gather emails from their inboxes. While this methodology cannot generate a comprehensive set of all Dark Basin phishing attempts, it provided retrospective data that helped us correlate the timing of phishing emails with key events in the #ExxonKnew campaign. We identified these key events with the assistance of targeted organizations, as well as a timeline released by ExxonMobil. We noted that targeting increased around certain key events, as illustrated below.
A Stolen Email?
In January 2016, a group of environmental organizations and funders met privately to discuss the #ExxonKnew campaign. A private email inviting campaigners to the January meeting (the “January Email”) was subsequently leaked by unknown parties to two newspapers. The January Email was quoted in a story entitled “Exxon Fires Back at Climate-Change Probe” on April 13, 2016 in the Wall Street Journal, and a day later a picture of a printout of the January Email was published in the Free Beacon.
Figure 2: Timeline of period of a sample of spearphishing juxtaposed with certain key events in the #ExxonKnew advocacy campaign.(1)
After a reporter queried the attendees about the secret meeting in March 2016, we found no further phishing emails until the New York Attorney General made a filing alleging evidence of “potential materially false and misleading statements by Exxon” in June 2017. Targeting also spiked again shortly before New York’s Attorney General filed a lawsuit against ExxonMobil in January 2018.
Table 3: ExxonMobil’s timeline of the advocacy campaign, highlighting the January Email (left) and an excerpt of the “leaked” January Email (right).
The leak of the January 2016 Email, as well as suspicious emails noticed by campaigners, led some present at the meeting to suspect their private communications may have been compromised. We later determined that all but two recipients of the leaked January Email were also Dark Basin targets.
We also note multiple other instances of internaldocumentationrelated to individuals publicly connected to these campaign issues appearing in the press.
Well-Informed Targeting
Dark Basin sent phishing emails to targets’ personal and institutional email accounts. They targeted individuals involved in the #ExxonKnew campaign, as well as #ExxonKnew campaigners’ family members. In at least one case a target’s minor child was among those targeted with phishing. We believe this “off-center” targeting further indicates both the well-informed nature of the targeting, and an intelligence gathering objective.
Much of the phishing against these individuals referenced targets’ work on ExxonMobil and climate change. Notably, multiple phishing messages seemed to reference unspecified confidential documents concerning ExxonMobil. A number of these messages impersonated individuals involved in the #ExxonKnew advocacy campaign or individuals involved in litigation against ExxonMobil, such as legal counsel.
Table 4: Examples of phishing messages referencing confidential information and notifications concerning ExxonMobil sent to individuals at advocacy organizations. The messages were sent from accounts masquerading as close colleagues of those targeted.
In other cases, Dark Basin sent fake Google News updates concerning ExxonMobil, clearly a topic of interest to the targets.
Figure 3: messages from Dark Basin purporting to be Google News updates concerning ExxonMobil.
Other ruses included fake Twitter direct messages and other correspondence purporting to concern climate change advocacy. Dark Basin also regularly employed more generic phishing emails using the same infrastructure. We observed a similar mix of topic-specific and generic attempts by Dark Basin against targets in other clusters, such as targeted hedge funds. Dark Basin also regularly made use of third-party link tracking services in their messages.
Evidence of Compromise
In at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals. This incident led us to conclude that Dark Basin had some success in gaining access to the email accounts of one or more advocacy groups.
Who Was the Client?
Dark Basin’s targeting revealed a highly detailed and accurate understanding of their targets and their relationships. Not only did phishing emails come from accounts masquerading as targets’ colleagues and friends, but the individuals that Dark Basin chose to target showed that it had a deep knowledge of informal organizational hierarchies (e.g., masquerading as individuals with greater authority than the target).
Some of this knowledge would likely have been hard to obtain from an open source investigation alone. Combined with the bait content, which was regularly tailored to the #ExxonKnew campaign, we concluded that Dark Basin operators were likely provided with detailed instructions not only about whom to target, but what kinds of messages specific targets might be responsive to.
While our research concluded with high confidence that Dark Basin was responsible for transmitting these phishing attempts, we do not have strong evidence pointing to the party commissioning them and we are not conclusively attributing Dark Basin’s phishing campaign against these organizations to a particular Dark Basin client at this time.
That said, the extensive targeting of American nonprofits exercising their first amendment rights is exceptionally troubling.
More US Civil Society Targets
At least two American advocacy groups were targeted by Dark Basin during a period in which they were engaged in sustained advocacy requesting that the Federal Communications Commission (FCC) preserve net neutrality rules in the US. EFF published a report on this targeting in 2017, observing that US non-governmental organizations Fight for the Future and Free Press were targeted between July 7 and August 8, 2017. We also observed targeting of additional US civil society groups which will be discussed in future reporting.
US Media Outlets
In addition to the targeting of civil society, we found that journalists from multiple major US media outlets were also targeted. Targets included journalists investigating topics related to the advocacy organizations mentioned above, as well as multiple business reporters.
Industry Targets
Dark Basin’s targeting was widespread and implicated multiple industries. In the sample of the targeting collected by Citizen Lab, we found that the financial sector was the most targeted. The following section briefly outlines several industry verticals of particular interest.
Hedge Funds, Short Sellers, Financial Journalists
The most prominent targeting of the financial sector concerned a cluster of hedge funds, short sellers, journalists, and investigators working on topics related to market manipulation at German payment processor Wirecard AG . We note that the offices of Wirecard AG were searched on Friday, June 5 2020 by German police in connection with a criminal investigation against certain executive board members launched by Munich prosecutors.
After extensive work with targeted organizations and individuals surrounding the Wirecard AG case, we concluded the unifying thread behind this targeting was its aim at individuals who held short positions in Wirecard AG around the time of the targeting and financial reporters covering the Wirecard AG case. Some individuals were targeted almost daily for months, and continued to receive messages for years.
Private emails from multiple journalists, short sellers, and hedge funds were made public as part of a “leaks” website and campaign, which included a PDF circulated via online posts to various forums. The campaign took its name from Zatarra, then a company operated by several of the targets.
As Table 5 shows, the document draws heavily on excerpts of correspondence between journalists and their sources. The targets have said that these emails were misleadingly presented and edited before being posted on the website. We believe that, while the documents may have been based on emails obtained by Dark Basin through phishing, a second entity may have undertaken the work of compiling and presenting these documents on the website, given the sophistication of the writing, use of investigative jargon, and techniques such as detailed organizational charts.
Table 5: Pages from the documents posted on the ‘Zatarra Leaks’ website.
As with the targeting of the organizations involved in the #ExxonKnew advocacy campaign, we are not conclusively attributing this campaign to a specific sponsor at this time.
Global Banking and Financial Services
Several international banks and investment firms, as well as prominent corporate law firms in the United States, Asia, and Europe, were targets. We also found a number of companies involved in offshore banking and finance were also targeted.
Legal Services
Lawyers were heavily represented in Dark Basin targeting. We found targeted individuals in many major US and global law firms. Lawyers working on corporate litigation and financial services were disproportionately represented, with targets in many countries including the US, UK, Israel, France, Belgium, Norway, Switzerland, Iceland, Kenya, and Nigeria.
The Energy Sector
We identified targets in multiple energy and extractive sectors, including petroleum companies. Targets ranged from lawyers and staff to CEOs and executives. In some cases, we observed large swaths of the energy and extractive industry targeted in a particular country, ranging from oilfield services companies and energy companies to prominent industry figures and officials at relevant government offices.
Eastern and Central Europe, Russia
We identified a range of targets in Eastern and Central Europe, and Russia, indicative of targeting surrounding the investments and actions of extremely wealthy individuals, including cases surrounding individuals who could be considered oligarchs.
Government
We identified targets in multiple governments, ranging from senior elected officials and their staff to members of the judiciary, prosecutors, members of parliament, and political parties. In a number of cases, we were able to connect this targeting to specific issues. We identified at least one individual who ran for elected office in the US. We anticipate providing future reporting on these cases.
Personal Disputes
Many of Dark Basin’s targets were high profile, well-resourced individuals. However, we also found that private individuals were also targeted, which appeared to correlate with divorces or other legal matters.
Tactics, Techniques, and Procedures
Over the course of our investigation, we found Dark Basin regularly adapting techniques, possibly in response to disruptions from email providers filtering their phishing attempts. What follows is a brief overview of these techniques.
Phishing Emails
Dark Basin sent phishing emails from a range of accounts, including Gmail accounts as well as self-hosted accounts. Sophistication of the bait content, specificity to the target, message volume, and persistence across time varied widely between clusters. It appears that Dark Basin’s customers may receive varying qualities of service and personal attention, possibly based on payment, or relationships with specific intermediaries.
URL Shorteners
The use of URL shorteners for masking phishing sites is a common technique. Over a sixteen month period, we enumerated 28 unique URL shortener services operated by Dark Basin.
The malicious URL shorteners used in this campaign typically ran an open source URL shortening software called Phurl. We analyzed the code and found that Phurl generated sequential shortcodes making it trivial for us to enumerate the URL shorteners. Figure 4 below shows numerous examples of the Phurl-based malicious shorteners we tracked.
Figure 4: Sample of custom URL shorteners observed.
Enumeration
We tracked these 28 URL shorteners nearly continuously using a Python script. Overall, our enumeration of these shorteners uncovered 27,591 different long URLs, each of which led to a Dark Basin credential phishing website. This campaign operated at a scale we had not previously detected in our research into targeted intrusion operations (versus generic phishing operations). Often, the email address of the target was included in the URL.
Figure 5: Example of data collected during enumeration of one of the shorteners, with targeted emails redacted.
Figure 5 shows a sample of the output from one shortener during a single collection period. The first column shows the specific “short code” for a shortener hosted on the domain anothershortnr[.]com and the second column shows the “long URL,” i.e., the actual destination website hosting the credential phishing pages. For example, a phishing email containing the shortened link http://anothershortnr[.]com/gu would, when clicked, direct the target to the destination URL:
https://emailserver4859[.]com/account.login.system.gmail.com.appredirects.portfoliofa.system-login.app-direct-signin-login.ppsecure-auth/?email=REDACTED@gmail.com&error=Continue to unsubscribe&redirect=//google.com
The domain, emailserver4859[.]com, was set up by attackers to host a credential phishing page designed to gather account credentials from webmail providers, including Gmail.
Credential Phishing Websites
The malicious links we discovered during our tracking each led to credential phishing sites, i.e., websites designed to look identical to popular online web services such as Google Mail, Yahoo Mail, Facebook, and others. In addition, Dark Basin operators had created phishing websites which copied the look and feel of specific web services used or operated by the target or their organization (Figure 11).
Table 6: Images of several phishing sites deployed in the observed campaigns.
Phishing Kit
In several cases, Dark Basin left the source code of their phishing kit openly accessible. The source code included references to log files, which were also publicly accessible. The log files recorded every interaction with the credential phishing website, including testing activity carried out by Dark Basin operators.
The source code also contained several scripts that processed details including usernames and passwords entered by victims, as well as the victims’ IP address. These details were both emailed to a Gmail address controlled by Dark Basin and recorded in one or more log files on the web server itself. Several of the scripts recorded these details with a timestamp in India’s UTC+5:30 (IST) timezone (Figure 6).
Figure 6: Variables setting UTC+5:30 timezone.
Testing the Phish
In reviewing log files left openly available on several of the active phishing servers, we observed Dark Basin operators testing their phishing links and credential theft kits.
We observed numerous occurrences where both real target email addresses and obviously fake email addresses were entered into the phishing pages using the password ‘test’, ostensibly to simulate or test the functionality of the phishing page.
The IP addresses which were logged by the phishing kit for these test entries were typically from anonymizing VPN services, but sometimes the logs showed that the test had been conducted using an IP address associated with an Indian broadband provider. Figures 7 and 8 show log excerpts from a pair of tests found in the log files from hostsecuremail[.]com, a Dark Basin credential phishing site:
Figure 7: Log excerpt showing a test of a phishing page via VPN.
Figure 8: Log excerpt showing the same phishing page via India-based broadband IP.
Success Rates
It is clear that Dark Basin operators were successful with at least some of their phishing campaigns. In cases observed by targets, Dark Basin was observed using commodity VPNs to access accounts using stolen credentials. We also found that logs from some phishing kits were publicly accessible.
After reviewing these logs and working with targets, we concluded that Dark Basin’s deceptions, while individually not always effective, did achieve some account access in part because the group could be extremely persistent.
For example, we found that some “high value” targets were sent more than one hundred phishing attempts with very diverse content. Some failure to recognize attempted phishing is to be expected when an entire organization or network of individuals working together on a shared advocacy goal is targeted by such a persistent adversary.
Dark Basin’s reliance on a rarely seen URL shortener software, continued reuse of the same registration identities and hosting providers for their infrastructure, and the uniqueness of their phishing kit all contributed to our ability to track them continuously during these campaigns.
Perhaps most important however was the additional visibility provided by working closely with the targeted individuals and organizations. This view into the persistent attempts to compromise the targets greatly amplified our ability to follow breadcrumbs left by Dark Basin operators.
Mercenary Intrusion: A Global Problem
Dark Basin’s thousands of targets illustrate that hack-for-hire is a serious problem for all sectors of society, from politics, advocacy and government to global commerce.
Many of Dark Basin’s targets have a strong but unconfirmed sense that the targeting is linked to a dispute or conflict with a particular party whom they know. However, absent a systematic investigation, it is difficult for most individuals to determine with certainty who undertakes these phishing campaigns and/or who may be contracting for such services, especially given that Dark Basin’s employees or executives are unlikely to be within the jurisdiction of their local law enforcement.
Further, while many of the targets whom we contacted had a sense they were being phished in a targeted operation, many others did not share this awareness. These targets either concluded that they were being phished for an unknown reason, or simply did not notice the targeting against the background of unrelated phishing messages and spam.
We believe there is an important role for major online platforms who have the capacity to track and monitor groups like Dark Basin. We hope Google and others will continue to track and report such hack-for-hire operations. We also encourage online platforms to be proactive in notifying users that have been targeted by such groups, such as providing detailed warnings beyond generic notifications to help enable targets to recognize the seriousness of the threat and take appropriate action.
Hacking for hire
Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry. Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations.
Previous court cases indicate that similar operations to BellTroX have contracted through a murky set of contractual, payment, and information sharing layers that may include law firms and private investigators and which allow clients a degree of deniability and distance.
Figure 9: BellTroX’s motto is “you desire, we do!”
The growth of a hack-for-hire industry may be fueled by the increasing normalization of other forms of commercialized cyber offensive activity, from digital surveillance to “hackingback,” whether marketed to private individuals, governments or the private sector.
Further, the growth of private intelligence firms, and the ubiquity of technology, may also be fueling an increasing demand for the types of services offered by BellTroX. At the same time, the growth of the private investigations industry may be contributing to making such cyber services more widely available and perceived as acceptable.
A clear danger to democracy
The rise of large-scale, commercialized hacking threatens civil society. As this report shows, it can be used as a tool of the powerful to target organizations that may not have sophisticated cybersecurity resources and consequently are vulnerable to such attacks.
For example, in a four-year-study, we concluded that digital threats undermined civil society organizations’ core communications and missions in a significant way, sometimes as a nuisance or resource drain, or more seriously as a major risk to individual safety. Citizen Lab has also previously researched and documented the harms of phishing campaigns against civil society aroundtheglobe.
We believe it is especially urgent that all parties involved in these phishing campaigns are held fully accountable. For this reason, and on the request of multiple targets of Dark Basin, Citizen Lab provided indicators and other materials to the US DOJ.
Acknowledgements
We thank the many targets that have helped us during the past three years. Without your diligence and effort this investigation would not have been possible. We have special gratitude for the journalists and media outlets for their patience.
We also personally thank several targets in particular for incredible efforts to help us identify malicious messages and investigate this case: Matthew Earl of ShadowFall, Kert Davies of the Climate Investigations Center, and Lee Wasserman of the Rockefeller Family Fund.
We thank our colleagues at NortonLifeLock for their hard work. The sheer scale of activities like Dark Basin makes collaboration essential.
We thank those that have requested to not be named, including TNG. You know who you are, and your hard work inspires us.
Special thanks to Citizen Lab colleagues, especially Adam Senft, Miles Kenyon, Mari Zhou, and Masashi Crete-Nishihata.
Thanks to The Electronic Frontier Foundation, especially Eva Galperin and Cooper Quintin.
Thanks to Mountain Philanthropies for financial support for this project.
Appendix A: Links to BellTroX
The appendix lists various additional links to BellTroX including social media postings and domain registrations.
Social Media Post
One of the domains we had observed Dark Basin using as a URL shortener was pushthisurl[.]com. A submission to VirusTotal from December 2016 contains an important clue towards attribution. The URL submitted to VirusTotal appeared to be very similar to phishing URLs deployed by Dark Basin:
The highlighted section in this URL shows a parameter called adroid that contains a URL, http://pushthisurl[.]com/jb. In examining the collection of phishing links and the phishing kit used by Dark Basin, we found that the adroid parameter was used to redirect mobile visitors to a mobile-optimized phishing page.
This URL suggests Dark Basin had been active earlier than we had observed. More importantly, the domain in this URL, account.facebook.com.supportserviceonline[.]com also appeared in a now deleted post on the Information Security forum website Peerlyst.
In a screenshot of this post (Figure 10), a user who identifies himself as an employee of BellTroX InfoTech Services explains a technique for creating a phishing page posing as a Facebook login screen. The poster provides two screenshots, one of which displays the domain name account.facebook.com.supportserviceonline[.]com.
Notably, this precise technique of using a subdomain which appears similar to a legitimate web service domain was used in virtually all of the 27,591 phishing links we discovered in our tracking of Dark Basin activity.
Figure 10: Screenshot from Peerlyst post linking a BellTroX employee to Dark Basin phishing.
Domain Registrations
During our research into the various infrastructure components of the Dark Basin activity, we noticed a unique recurring pattern in many of the credential phishing URLs. Several examples are provided below, highlighted to show the pattern of interest:
http://login.service-microsoftonline.reg.hostname-mail-id.fastserverusa[.]com/continue-http-rnd-maiiil.com-maiil.u.1.serviice-maiil.rpsnv.11-ct-13475230763454343764-rver.6.1.6206.1.5.rver.6.1.6206.0-wp-mbi.wreply-https?to=REDACTED&msg=Sign in to confirm your age&red=//youporn.com&adroid=
We found a VirusTotal submission of a URL hosted on the domain wsignin[.]info which contained this same string:
Figure 11: VirusTotal record showing identical phishing kit folder structures on wsignin[.]info.
Using historic WHOIS registration data, we found that during the period between March 22, 2014 and August 26, 2014, the email address serviceaccount373[@]yahoo.com was the registrant address for both wsignin[.]infoandbelltrox[.]org. An internet archive screenshot of the belltrox[.]org domain (Figure 12) shows that belltrox[.]org was in fact the webpage of BellTroX InfoTech Services during this time period.
Figure 12: May 2014 snapshot of belltrox[.]org, prior website of BellTroX Digital Security.
According to historic domain registration data, the belltrox[.]org website was registered to this same email address between July 27, 2013 and November 29, 2014. After this date, the registrant email was changed to tech.belltrox[@]gmail.com.
Appendix B: Indicators of Compromise
Citizen Lab and NortonLifeLock are jointly releasing this list of Indicators of Compromise.
Experts say the projections have the potential to be
