A security vendor’s 11-month long review of non-public data obtained by investigative journalists at Reuters has corroborated previous reports tying an Indian hack-for-hire group to numerous — sometimes disruptive — incidents of cyber espionage and surveillance against individuals and entities worldwide.

The shadowy New Delhi-based group known as Appin no longer exists — at least in its original form or branding. But for several years starting around 2009, Appin’s operatives brazenly — and sometimes clumsily — hacked into computers belonging to businesses and business executives, politicians, high-value individuals, and government and military officials worldwide. And its members remain active in spinoffs to this day.

Hacking on a Global Scale

The firm’s clientele included private investigators, detectives, government organizations, corporate clients, and often entities engaged in major litigation battles from the US, UK, Israel, India, Switzerland, and several other countries.

Journalists at Reuters who investigated Appin’s activities collected detailed information on its operations and clients from multiple sources, including logs connected to an Appin site called “MyCommando”. Appin clients used the site to order services from what Reuters described as a menu of options for breaking into emails, phones, and computers of targeted entities.

The Reuters investigation showed that Appin tied to a wide range of sometimes previously reported hacking incidents over the years. These included everything from the leakage of private emails that derailed a lucrative casino deal for a small Native American tribe in New York, to an intrusion involving a Zurich-based consultant attempting to bring the 2012 soccer world cup to Australia. Other incidents that Reuters mentioned in its report involved Malaysian politician Mohamed Azmin Ali, Russian entrepreneur Boris Berezovsky, a New York art dealer, a French diamond heiress, and an intrusion at Norwegian telecommunications firm Telenor that resulted in the theft of 60,000 emails.

Prior investigations, that Reuters mentioned in its report, have tied Appin to some of these incidents — like the one at Telenor and the one involving the Zurich-based consultant.

Near Conclusive Proof

Such links were further corroborated by a Reuters-commissioned review of the data by SentinelOne. The cybersecurity firm’s exhaustive analysis of data that Reuters journalists collected showed near-conclusive links between Appin and numerous data theft incidents. These included theft of email and other data by Appin from Pakistani and Chinese government officials. SentinelOne also found evidence of Appin carrying out defacement attacks on sites associated with the Sikh religious minority community in India and of at least one request to hack into a Gmail account belonging to a Sikh individual suspected of being a terrorist.

“The current state of the organization significantly differs from its status a decade ago,” says Tom Hegel, principal threat researcher at SentinelLabs. “The initial entity, ‘Appin,’ featured in our research, no longer exists but can be regarded as the progenitor from which several present-day hack-for-hire enterprises have emerged,” he says.

Factors such as rebranding, employee transitions, and the widespread dissemination of skills contribute to Appin being recognized as the pioneering hack-for-hire group in India, he says. Many of the company’s former employees have gone on to create similar services that are currently operational.

Reuters’ report and SentinelOne’s review have cast fresh light on the shadowy world of hack-for-hire services — a market niche that others have highlighted with some concern as well. A report by Google last year highlights the relatively prolific availability of these services in countries like India, Russia, and the United Arab Emirates. SentinelOne itself had reported last year on one such group dubbed Void Balaur, operating out of Russia.

Infrastructure Sourcing

During the review of the Reuters-obtained data, researchers at SentinelOne were able to piece together the infrastructure that Appin operatives assembled to carry out Operation Hangover — as an espionage operation on Telenor was later dubbed — and other campaigns.

SentinelOne’s review showed Appin often using a third-party outside contractor to acquire and manage the infrastructure it used in carrying out attacks on behalf of its customers. Appin operatives would basically ask the contractor to acquire servers with specific technical requirements. The types of servers the contractor would obtain for Appin included those for storing exfiltrated data; command and control servers, those that hosted Web pages for credential phishing and servers that hosted sites designed to lure specifically targeted victims. One such site for example had an Islam jihadist related theme which led visitors to another malware laced website.

Appin executives used in-house programmers and the California-based freelance portal Elance — now called Upwork — to find programmers to code malware and exploits. A USB propagator tool that the hack-for-hire group used in its attack on Telenor for instance was the work of one such Elance freelancer. In its 2009 job posting, Appin had described the tool it was looking for as an “advanced data backup utility.” The company paid $500 for the product.

Via other job postings on Elance, Appin sought for and acquired various other tools including an audio recording tool for Windows systems, a code obfuscator for CC and Visual C++ and exploits for Microsoft Office and IE. Some of the ads were brazen — like one for the development of exploits — or customization of existing exploits — for various vulnerabilities in Office, Adobe, and browsers such as Internet Explore and Firefox. The barely concealed malicious intent and low payment offers from Appin — for instance, $1,000 monthly for two exploits a month — often resulted in freelancers rejecting the company’s job offers, SentinelOne observed.

Appin also sourced its toolkit from others including those selling private spyware, stalkerware, and exploit services. In some cases, it even became a reseller for these products and services.

Unsophisticated but Effective

“Offensive security services provided to customers, well over a decade ago, included data theft across many forms of technology, often internally referred to as ‘interception’ services,” SentinelOne said. “These included keylogging, account credential phishing, website defacement, and SEO manipulation/disinformation.”

Appin would also accommodate client requests such as cracking passwords from stolen documents, on-demand.

In the period under examination, the hack-for-hire industry in the private sector of India displayed a noteworthy degree of creativity, albeit with a certain technical rudiment at that particular time, Hegel notes.

“During this era, the sector operated in an entrepreneurial manner, often opting for cost-effective and uncomplicated offensive capabilities,” he says. “Despite the considerable scale of their operations, these attackers are generally not classified as highly sophisticated, particularly when compared to well-established advanced persistent threats (APTs) or criminal organizations,” he says.