With numerous global cyber intrusions from Norway to China, espionage, surveillance, and disruptive actions, Appin Security Group, mercenary hackers from India, demonstrated a successful criminal business model that was unstoppable without global cooperation.
Notorious for its remarkable tenacity and proven track record of successful attacks on behalf of a diverse clientele, Appin Security Group was a renowned entity from India offering hack-for-hire services.
Researchers from SentilenLabs with a high confidence level attributed intrusions in Norway, Pakistan, China, and India to Appin, shedding some light on the gang’s intricate operations.
The extensive list of targets includes victims from the US, Canada, China, India, Myanmar, Kuwait, Bangladesh, the United Arab Emirates, Pakistan, and other locations.
Started as a security firm
The Appin Software Security was an Indian cyber espionage firm. The company offered an offensive security training program alongside covert hacking operations since at least 2009.
“Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations and private businesses spread globally,” SentinelLabs noted.
The researchers based their findings on Appin on Reuters special report and non-public data. According to Reuters, the educational startup soon became a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials, and wealthy global elites.
Unlike state-sponsored threat actors, Appin’s hacking attempts and the whole organization sometimes appeared clumsy, informal, and technically crude. However, their operations proved worthy for their customers, significantly impacting world affairs.
Their past employees dispersed widely to form new competitors and partners, evolving the Appin brand to include new names. Some even spread into cybersecurity defense industry vendors.
Reuters found at least half a dozen other hack-for-hire firms in India that have adopted Appin’s business model of serving private investigators and corporate lawyers.
Hack-for-hire threat actors are serious threats to all organizations, representing an interesting challenge for security researchers and network defenders. Appin demonstrated the concerning resilience of such groups, coupled with their capacity to attract new clients despite heightened public scrutiny.
“The landscape of hack-for-hire enterprises has undergone a transformation, diversifying the array of services available to both private enterprises and government entities,” threat researchers from SentinelLabs said.
They urge enhanced international cooperation and the establishment of robust legal frameworks to address this escalating challenge effectively.
How did Appin operate?
Appin’s business masqueraded with offerings for network penetration testing, website security auditing, training, and other services. Yet the hack-for-hire offerings are the most interesting. Researchers obtained a proposed offering to India’s Police.
For 100,000 Indian Rupees per month (now around $1200), the “real-time cyber investigation solution” included an investigation of computers and emails from which data “will be harvested and transferred” and, if possible, gaining control.
“Offensive security services provided to customers, well over a decade ago, included data theft across many forms of technology, often internally referred to as “interception” services. These included keylogging, account credential phishing, website defacement, and SEO manipulation/disinformation. They would also accommodate other technical requests from a customer on-demand, such as cracking passwords from stolen documents,” the research reads.
The work of Appin was plagued with inadequate operations security and a lack of formal individual responsibilities, with operators and developers mixing their tasks. However, strong financial incentives were in place to push for leadership for everyone to succeed on their customers' behalf.
Appin targeted both governmental entities and businesses across various industries. The list of Appin’s deeds includes the following:
Dependent on contractors
For years, Appin employed an external contractor to procure and oversee infrastructure. This contractor was responsible for registering domains, establishing hosting solutions for each project, and subsequently enabling remote access.
“Appin operators would request a type of server, including some technical requirements, and which operator is assigned for its use,” researchers noted.
Hosted servers were used for control and data collection, phishing, luring targets to interact for credential phishing or malware delivery, and generic purposes for non-attributable access to victim machines and attack infrastructure administration.
Appin purchased malware from external software developers while also using internal employees to develop their own tools. They used the California-based freelancing platform Elance (now known as Upwork) for that.
“An example of Elance use is the purchase of the USB Propagator tool from the freelancer “alexstinger”. The original job posting was titled “Creation of Advanced Data Backup Utility.” The same tool is also referenced in the Operation Hangover report. The original version was purchased in 2009 for $500 after troubleshooting and source code delivery. The Elance job statement was completed on July 15th, 2009,” the SentinelOne’s research reads.
There were many other purchases on Elance, such as Audio Recording Software, the Creation of a code obfuscator, “Exploits for research purpose on MS Office and IE,” or “MS Office Exploits to upgrade our IPS/Antivirus!”
One job posting included a payment of $1,000 monthly and minimum expectations of at least two exploits per month.
“A recurring problem with these job postings was that freelancers quickly rejected them after noting the low payment amount and questioning whether they were intended for malicious use.”
Appin also acquired a large amount of private spyware and exploit services. One example is the purchase of mobile spyware services through Vervata in 2010. Other purchases were made from private vendors Vupen and Core Security. The keylogger and some other malware were developed internally.
SentinelOne provided historical indicators of compromise in their research.
More from Cybernews:
Subscribe to our newsletter