Our friends at SentinelLabs report that Hack-for-Hire threat actors go by many names, such as surveillance-for-hire, mercenaries, private-sector-offensive-actors (PSOAs), and nonstate offensive threat actors. Such groups represent an exciting challenge for security researchers and network defenders. They should be considered a severe threat to all organizations, worthy of proactive tracking in ongoing intrusions and analysis of historical cases to understand their significant impacts. Many public industry reports have highlighted attempts to track and disrupt mercenary threat actors, including our past work on Void Balaur and Meta’s Surveillance-for-Hire report.
Below, SentinelLabs shares findings from a review of highly unique, non-public, and technically verified data on the hack-for-hire efforts of the Appin business. After an extensive review of this data, brought to our attention by Reuters investigative journalists, we assess with high confidence that it correlates with previously known Appin intrusions, accurately depicts internal communications, and originated from inside the security arm of the Appin organization– formally known as Appin Software Security and informally as Appin Security Group (ASG).
Introduction to Appin - Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009. Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors. Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations and private businesses spread globally.
Our analysis and observations corroborate the June 2022 reporting from Reuters, noting some of Appin’s customers are tied to significant litigation battles. The group has conducted hacking operations against high-value individuals, governmental organizations, and other businesses involved in specific legal disputes. Appin’s hacking operations and overall organization often appear informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs significantly.
Victims and Links to Previous Reporting - The extensive scope of unique targets and confirmed victims extends globally. The data reveals victims across the United States, Canada, China, India, Myanmar, Kuwait, Bangladesh, the United Arab Emirates, Pakistan, and other locations. The affected devices encompass those affiliated with both governmental entities and businesses across various industries. It is important to note that the aforementioned list is not exhaustive, serving as a snapshot at a particular moment rather than a comprehensive compilation of all targets and victims.
From a threat intelligence perspective, the data includes identifying specific victims of notable public interest. Attacks on China and Pakistan from India-linked threat actors are not new; however, the confirmation that a local Indian hack-for-hire group was enlisted to conduct these campaigns is insightful on the attribution of presumably state-sponsored attacks out of India. We can confirm some known victimology as well as observe additional previously undiscovered victims:
Pakistani Government Officials - These victims were successfully compromised and sent keylogger data from their machines to the Appin-owned and controlled server. The keylogger data contained personal social media and email account logins, government website logins, and more mundane web browsing like travel, games, and pornography sites. Pakistani targeting continued in the years following, as reported by ESET in 2013 and noted in the below Operation Hangover report.
Chinese Government Officials - Multiple cases in 2009 involved data theft operations against Chinese government officials. These include the successful compromise of multiple PLA officers. Around the same time, operators successfully compromised Military Liaison Officers with the same objective. Notably, these attacks were carried out shortly after Indian government officials made public statements they had observed cyber attacks on Indian government networks and attributed the activity to China.
Domestic Targeting - There are also many cases of domestic targeting. For example, in one case, the Intelligence organization within a local police force enlisted Appin to conduct defacement attacks on specific Sikh websites and to steal login credentials of email accounts belonging to Sikhs in India and the US. One such inbound request reviewed contained a formal request document for Appin to break into the personal Gmail account of a specific individual labeled as a domestic terrorist target. In an unrelated campaign, the group also used the domain speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on an Indian individual later targeted by the ModifiedElephant APT.
KitM Mac Spyware - In 2013, F-Secure analyzed and reported (1,2,3) on the technical details of Mac spyware initially discovered on the machine of an Angolan activist while visiting the Oslo Freedom Forum (“a global gathering of activists united in standing up to tyranny.”). This Mac spyware was quite unique at the time, and ultimately dubbed KitM (‘Kumar in the Mac’, referring to the certificate issued under the name ‘Rajinder Kumar’, used to sign all of the samples), and used Appin-owned and operated infrastructure. The newly reviewed data provided some of the context behind this campaign and confirmed actor attribution to Appin.
Operation Hangover - One of the more interesting links to previous reporting is the overlap with Operation Hangover. This 2013 report was a unique deep dive into threat activity around an industrial espionage campaign against the Norwegian telecommunications corporation Telenor and other private companies. The authors note multiple strong links between the Appin organization and the attacks observed in the wild. Our new findings confirm that the malware and attack infrastructure noted in the Operation Hangover report were owned and controlled by Appin, such as taraanasongs[.]com and others highlighted here.
Below is a graphic depicting the process of acquiring Operation Hangover-related domains. In late October 2009, an operator requested a “new domain for phishing and exe upload” from their manager. After approval, The manager forwarded the request, which went to the executive staff and finance manager. A day later, the operator acknowledged the new domain (taraanasongs[.]com), and the manager informed the executive staff of its acquisition.
Infrastructure Acquisition and Use - Leading hack-for-hire organizations are faced with essential segmentation requirements to limit the discovery of their infrastructure. If a researcher were to discover what connects all points of their infrastructure together, it would risk the entire set of customer operations. Appin’s method of acquiring and managing infrastructure for years was handled through a particular outside contractor. At the time, this individual would register the domains and set up hosting solutions for a project as needed. Appin operators would request a server type, including some technical requirements, and which operator is assigned for its use. The consultant would then purchase the server, set it up as instructed, provide credentials for remote access to the operator and Appin leadership, and conclude the interaction with an invoice detailing payment. Based on the data reviewed, the consultant made the purchases through a collection of repeated personal and business-branded email accounts, in addition to overlapping registration and hosting details.
The types of servers requested generally centered around a handful of primary purposes.
Exfiltration – Often referred to as FTP or Data Transfer servers in the early years, malware would use these as the destination for exfiltrating stolen data. One may also find the logs of an Appin-owned and operated exfiltration server useful for victim identification. For example, as previously noted, those originating from devinmartin[.]net highlight a global victim spread. Data was uploaded to this specific FTP server with accounts:
Phishing – Hosted web pages for credential phishing. The same phishing pages were often available through multiple target-named subdomains and URLs.
Lure Sites – A fascinating technique was the use of referenced “honeypots.” These sites would often be themed around a specific topic and lure the target to interact for credential phishing or malware delivery. One such example is islam-jindabad.blogspot[.]com, which remains online at the time of this writing. It was created in 2009 and called a “honey pot” by Appin operators. The domain led to a second domain that delivered malware after clicking an image. The destination address of these images is gmail-loginchk.freehostia[.]com/raj1.php
Malicious Lure Site, Directs to Malware Download
VPS Server – Generic multi-purpose server for non-attributable access to victim machines and attack infrastructure administration. Typically accessed through SSH. Additionally, a non-standard server type was also used by Appin covert communications. The business used specific websites for customer project tracking and data sharing. This was variously referred to as GoldenEye, Commando, or MyCommando. It acted as a place where customers could log in to view and download campaign-specific data and status updates, communicate securely, and manage other aspects of their projects.
This is the same “Secured Project Management Portal” highlighted in an Appin marketing presentation, first shared by Reuters in their June 2022 mercenary hacker investigative report.
Malware and Exploit Development - Appin used the California-based freelancing platform Elance (now known as Upwork) to purchase malware from external software developers while using internal employees to develop those projects and their own tools. Appin posted elance jobs under the username “appinsecuritygroup” and a profile set with an Appin executive's full name and appinonline[.]com email address. An example of Elance's use is purchasing the USB Propagator tool from the freelancer “alexstinger.” The original job posting was titled “Creation of Advanced Data Backup Utility.” The same tool is also referenced in the Operation Hangover report. The original version was purchased in 2009 for $500 after troubleshooting and source code delivery. The Elance job statement was completed on July 15th, 2009.
Appin advertised on Elance for many other software projects as well, including ones titled:
- Audio Recording Software on Windows
- Creation of a code obfuscator for C, Visual C++
- Exploits for research purposes on MS Office and IE
- MS Office Exploits to upgrade our IPS/Antivirus!
- R&D in vulnerability research in Eastern Europe
A summary of the job post for “R&D in vulnerability research in Eastern Europe” shows the following.
To outsource research in exploits and vulnerabilities on a monthly retainer basis to expert organizations in Eastern Europe
Vulnerability and Exploits Gathering, Exploit Development
Developing exploits on existing vulnerabilities or customization of exploit samples on the internet related to MS Office (Word, Excel, PowerPoint 2007/2003, etc), Adobe PDF, Browsers IE 6/7, Mozilla Firefox, and Opera.
At least two exploits a month. Exploits should be customizable with payloads, Minimum detection from AV, and Weekly reports on successes/failures.
A recurring problem with these job postings was that freelancers quickly rejected them after noting the low payment amount and questioning whether they were intended for malicious use. Appin used a large amount of private spyware and exploit services over the years, too. For example, in 2010 they purchased mobile spyware services through Vervata, the business behind the FlexiSPY mobile stalkerware. When this transaction was conducted, the domain mobilebackup[.]biz was used by operators for installing guides, downloading software, and reviewing victim mobile device data. While this is historical data, it remains the case that FlexiSPY stalkerware is still marketed and sold today.
Appin later pursued the purchase of exploits from leading private vendors at the time, including Vupen and Core Security. Business interests also involved the opportunity for Appin to act as an exploitative reseller for Vupen to the Indian government.
As noted, some malware was developed internally, including a keylogger. Associated data and communications reveal an employee's initial intention to share their development of the keylogger to Appin leadership in August 2009. In a reviewed message, the employee noted a new keylogger being built, which can upload logs to the FTP server. Tests were conducted over the following weeks and months to showcase the keylogger’s capabilities. Here is one such file in which the developer tested the keylogger’s functionality, which is being detected by third-party antivirus solutions. The data redacted included the developer’s personal email address.
Months later the keylogger was being used in live operations, including in a campaign targeting the Pakistan government. Government victim data included personal email addresses and instant messaging activity, browsing for new jobs in the Pakistan Navy, reading/printing ISPR news, and other personally sensitive online activity.
The Hack-For-Hire Business - Although hack-for-hire organizations in India and elsewhere have evolved markedly over the years as both the technology available to them and the ecosystem in which they operate have changed, a clear snapshot of Appin’s activity starting from around the early 2000s provides invaluable insight into the inner workings of such businesses. Ignoring Appin’s many business offerings related to network penetration testing, website security auditing, training, and more, we can focus on the part most interesting to cyber defenders and threat intelligence analysts: the hack-for-hire offerings. Below is a proposed offering of Appin’s ‘Special Services Division’ to India’s Chhattisgarh Police Cyber Investigation Cell.
While a full review of the business structure is outside the scope of this report, a few relevant cybersecurity observations are useful to list: Offensive security services provided to customers well over a decade ago included data theft across many forms of technology, often internally referred to as “interception” services. These included keylogging, account credential phishing, website defacement, and SEO manipulation/disinformation. They would also accommodate other technical requests from a customer on-demand, such as cracking passwords from stolen documents.
Operations Security (OPSEC) is taken seriously in theory but was inadequately executed in practice. Operators, developers, and leadership were disciplined not to discuss project specifics (targets, customers, tools, etc.) through weak communication channels. However, it appears that leadership repeatedly initiated the failure to abide by those standards. Examples include analysts refusing to write down confidential technical information related to sensitive operations while leadership openly discussed and documented the exact details.
The roles of individual operators are often built uniquely around their skill sets rather than formal responsibilities based on a structured role. This includes operators and developers mixing tasks depending on the individual’s interests and career tenacity. There is a strong, financially incentivized push from leadership to all individual operators and developers for innovative ideas that can better achieve success on behalf of their customers. This includes finding new tools and techniques to accomplish the desires of the customer. Some OPSEC gaps originate from the resulting unchecked innovation.
A Day in the Life - While the operator and developer roles proved fluid over time, we can glimpse the leadership’s priorities based on weekly task lists handed down to the early ‘development’ group. Tasks were assigned to individuals, including the following objectives:
- Individual A:
Build fully functional & undetectable malicious documents using exploits.
Resolve issues of malware not collecting specific messaging software logs.
Coordinate with exploit developers (internal) for other ongoing campaigns.
- Individual B:
Build and finish the new network lateral movement solution.
Rebuild “FTP Backup trojan” to make it fully undetectable.
- Individual C:
Build a new process with exploit developers (internal) for weekly use of new fully-undetectable attack tools.
Troubleshoot phishing website problems, such as specific language characters not recording correctly.
Educate operators on other internal tools - It’s ultimately unsurprising to learn of tasks and the individuals assigned to them; however, it is useful when contextualizing the overlapping technical links and improvements between campaigns, such as version updates of the FTP Backup trojan.
Moving Forward - Our examination of the Indian hack-for-hire group Appin underscores the enduring and substantial threat posed by such entities to businesses, governments, and individuals over an extended period exceeding a decade. The research findings underscore the group’s remarkable tenacity and proven track record of successfully executing attacks on behalf of a diverse clientele. Our study's technical insights and infrastructure offer a valuable resource for mapping associated malicious activities and reevaluating past incidents with a renewed perspective.
The resilience of these groups, coupled with their capacity to attract new clients despite heightened public scrutiny, emphasizes the urgent need for enhanced international cooperation and the establishment of robust legal frameworks to address this escalating challenge effectively. In light of advancing technologies and the growing demand for digital espionage and cybercrime services, it is imperative for governments, businesses, and high-risk individuals to proactively implement measures to protect themselves against these formidable, adaptable, and thriving hack-for-hire threat actors.
Historical Indicators of Compromise - Note some of the following indicators have since been used for legitimate reasons or sinkholed. Therefore, we advise caution if considering these as active indicators in their current state.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings