An extremely skilled group of hackers-for-hire dubbed “Bahamut” is using sophisticated social engineering tactics against a range of targets around the world, researchers at BlackBerry have found. The group has refined its tactics over time, and it adapts every time a security firm publishes research on its activities.

“BlackBerry assesses that BAHAMUT’s phishing and credential harvesting tradecraft is significantly better than the majority of other publicly known APT groups,” BlackBerry says. “This is principally due to the group’s speed, their dedication to single-use and highly compartmentalized infrastructure, and their ability to adapt and change, particularly when their phishing tools are exposed.”

The group now uses a streamlined framework for phishing that makes it very difficult to block these attacks.

“While monitoring BAHAMUT’s operations over the past year, BlackBerry watched new phishing infrastructure spring up weekly,” the researchers write. “Just as other researchers previously observed, many of these highly targeted spear-phishing operations lasted anywhere from a few hours to a few months, depending on the domain and success rates. This embrace of ever-fleeting infrastructure makes real-time detection all but impossible. Catching a window that is open only for a few hours on infrastructure that is constantly changing requires resources and luck that few network defenders, much less individual targets, could ever hope to possess.”

The group also does extensive research on its targets, and in some cases has used fake social media profiles to build trust with their victims. Notably, the researchers found that the hackers often knew the target’s personal email address, and avoided sending phishing emails to the victim’s corporate or government address.

“Throughout our analysis of their phishing behavior, BlackBerry observed that BAHAMUT was generally in possession of a great deal of information about their targets prior to phishing them,” they write. “This was clearly the result of a concerted and robust reconnaissance operation.”

BlackBerry concludes that Bahamut’s patience, attention to detail, and commitment to operational security puts them far above most threat actors.

“In sum, BlackBerry finds BAHAMUT to be well above average in its social engineering,” the researchers write. “The group has truly impressive operational security that enables them to continue to attack despite numerous, repeated attempts to expose their operations.”

New-school security awareness training can help your employees defend themselves against targeted social engineering attacks.