Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years

An Indian hack-for-hire group targeted the U.S., China, Myanmar, Pakistan, Kuwait, and other countries as part of a wide-ranging espionage, surveillance, and disruptive operation for over a decade.

The Appin Software Security (aka Appin Security Group), according to an in-depth analysis from SentinelOne, began as an educational startup offering offensive security training programs, while carrying out covert hacking operations since at least 2009.

In May 2013, ESET disclosed a set of cyber attacks targeting Pakistan with information-stealing malware. While the activity was attributed to a cluster tracked as Hangover (aka Patchwork or Zinc Emerson), evidence shows that the infrastructure is owned and controlled by Appin.

“The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes,” SentinelOne security Tom Hegel said in a comprehensive analysis published last week.

“Appin’s hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success.”

The findings are based on non-public data obtained by Reuters, which called out Appin for orchestrating data theft attacks on an industrial scale against political leaders, international executives, sports figures, and others. The company, in response, has dismissed its connection with the hack-for-hire business.

One of the core services offered by Appin was a tool “MyCommando” (aka GoldenEye or Commando) that allowed its customers to log in to view and download campaign-specific data and status updates, communicate securely, and choose from various task options that range from open-source research to social engineering to a trojan campaign.

The targeting of China and Pakistan is confirmation that an Indian-origin mercenary group has been roped in to conduct state-sponsored attacks. Appin has also been identified as behind the macOS spyware known as KitM in 2013.

What’s more, SentinelOne said it also identified instances of domestic targeting with the goal of stealing login credentials of email accounts belonging to Sikhs in India and the U.S.

“In an unrelated campaign, the group also used the domain speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on an Indian individual later targeted by the ModifiedElephant APT,” Hegel noted. It’s worth noting that Patchwork’s links to ModifiedElephant were previously identified by Secureworks.

Besides leveraging a large infrastructure sourced from a third-party for data exfiltration, command-and-control (C2), phishing, and setting up decoy sites, the shadowy private-sector offensive actor (PSOA) is said to have relied on private spyware and exploit services provided by private vendors like Vervata, Vupen, and Core Security.

In another noteworthy tactic, Appin is said to have leveraged a California-based freelancing platform referred to as Elance (now called Upwork) to purchase malware from external software developers, while also using its in-house employees to develop a custom collection of hacking tools.

“The research findings underscore the group’s remarkable tenacity and a proven track record of successfully executing attacks on behalf of a diverse clientele,” Hegel said.

The development comes as Aviram Azari, an Israeli private investigator, was sentenced in the U.S. to nearly seven years in federal prison on charges of computer intrusion, wire fraud, and aggravated identity theft in connection with a global hack-for-hire scheme between November 2014 to September 2019. Azari was arrested in September 2019.

“Azari owned and operated an Israeli intelligence firm,” the Department of Justice (DoJ) said last week. “Clients hired Azari to manage ‘Projects’ that were described as intelligence gathering efforts but were, in fact, hacking campaigns specifically targeting certain groups of victims.”

Aviram has also been accused of using mercenary hackers in India, a company called BellTroX Infotech (aka Amanda or Dark Basin), to help clients gain an advantage in court battles via spear-phishing attacks and ultimately gain access to victims’ accounts and steal information.

BellTrox was founded by Sumit Gupta in May 2013. Reuters disclosed in June 2022 that prior to launching the company, Gupta had worked for Appin.