Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years

Over the span of more than a decade, an Indian hack-for-hire group, Appin Software Security, engaged in extensive espionage, surveillance, and disruptive activities targeting the U.S., China, Myanmar, Pakistan, Kuwait, and other nations.

Originally established as an educational startup providing offensive security training programs, Appin Security Group concurrently conducted covert hacking operations since at least 2009, as revealed in a comprehensive analysis by SentinelOne. The group activities came to light in May 2013 when ESET disclosed a series of cyber attacks on Pakistan involving information-stealing malware, attributed to a cluster known as Hangover (also identified as Patchwork or Zinc Emerson). Notably, evidence indicates that Appin owns and controls the infrastructure linked to Hangover.

SentinelOne analysis suggests that Appin targeted high-profile individuals, governmental organizations, and businesses entangled in specific legal disputes. Despite the group operations appearing at times informal and technically crude, their impact proved substantial, influencing global affairs. Reuters obtained non-public data, exposing Appin involvement in large-scale data theft attacks against political leaders, international executives, sports figures, and others. In response, Appin has denied any connection to the hack-for-hire business.

A key service offered by Appin was the "MyCommando" tool, allowing customers to log in, view and download campaign-specific data, communicate securely, and choose from various task options, ranging from open-source research to social engineering and trojan campaigns.

The revelation that Appin targeted China and Pakistan suggests the involvement of an Indian-origin mercenary group in state-sponsored attacks. The group was also identified as the creator of the macOS spyware known as KitM in 2013.

SentinelOne findings further indicate domestic targeting, with Appin attempting to steal login credentials of email accounts belonging to Sikhs in India and the U.S. The group used various tactics, including leveraging a California-based freelancing platform (formerly Elance, now Upwork) to purchase malware from external developers, alongside developing an in-house collection of hacking tools.

Appin tenacity is underscored by its reliance on a vast infrastructure for data exfiltration, command-and-control, phishing, and decoy site setup. Additionally, the group utilized spyware and exploit services from private vendors such as Vervata, Vupen, and Core Security.

In light of recent developments, the global landscape of hack-for-hire activities is being scrutinized, exemplified by the sentencing of Israeli private investigator Aviram Azari, who operated a hack-for-hire scheme using mercenary hackers in India. The scheme aimed to manipulate court battles through spear-phishing attacks, gaining unauthorized access to victims accounts and stealing sensitive information. Azari was sentenced to nearly seven years in federal prison for computer intrusion, wire fraud, and aggravated identity theft.