- SentinelLabs has garnered new intelligence pertaining to the activities of the Appin Security Group, a renowned entity in the realm of hack-for-hire services.
- Our comprehensive analysis has unearthed information on numerous global cyber intrusions, encompassing instances of espionage, surveillance, and disruptive actions. Furthermore, our findings establish a high level of confidence in attributing intrusions in various countries, including Norway, Pakistan, China, and India, among others.
- The landscape of hack-for-hire enterprises has undergone a transformation, diversifying the array of services available to both private enterprises and government entities. Notwithstanding previous public disclosures, the internal methodologies governing the creation of malware, exploits, and network infrastructure have persisted in obscurity. Our investigative efforts contribute crucial insights, shedding light on the intricate processes underlying these operations.
Hack-for-Hire threat actors go by many names, such as surveillance-for-hire, mercenaries, private-sector-offensive-actors (PSOAs), and nonstate offensive threat actors. Such groups represent an interesting challenge for security researchers and network defenders, and should be considered a serious threat to all organizations, worthy of both proactive tracking in ongoing intrusions and analysis of historical cases to understand their significant impacts. Attempts to track and disrupt mercenary threat actors have been highlighted in many public industry reports, including our past work on Void Balaur and Meta’s Surveillance-for-Hire report.
In this report, we share our findings from a review of highly unique, non-public, and technically-verified data into the hack-for-hire efforts of the Appin business. After an extensive review of this data, brought to our attention by Reuters investigative journalists, we assess with high confidence that it correlates with previously known Appin intrusions, accurately depicts internal communications, and originated from inside the security arm of the Appin organization– formally known as Appin Software Security and informally as Appin Security Group (ASG).
Introduction to Appin
Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009. Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors. Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations, and private businesses spread globally.
Our analysis and observations corroborate the June 2022 reporting from Reuters noting some of Appin’s customers tied to major litigation battles. The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes. Appin’s hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success.
Victims, and Links to Previous Reporting
The extensive scope of unique targets and confirmed victims extends globally. The data reveals victims across the United States, Canada, China, India, Myanmar, Kuwait, Bangladesh, the United Arab Emirates, Pakistan, and other locations. The affected devices encompass those affiliated with both governmental entities and businesses across various industries. It is important to note that the aforementioned list is not exhaustive, serving as a snapshot at a particular moment rather than a comprehensive compilation of all targets and victims.
From a threat intelligence perspective, the data includes details that identify specific victims of notable public interest. Attacks on China and Pakistan from India-linked threat actors are not new; however, the confirmation that a local Indian hack-for-hire group was enlisted to conduct these campaigns is insightful on the attribution of presumably state-sponsored attacks coming out of India. We can confirm some known victimology as well as observe additional previously undiscovered victims:
Pakistani Government Officials
These victims were successfully compromised and sent keylogger data from their machines to the Appin owned and controlled server. The keylogger data contained personal social media and email account logins, government website logins, and more mundane web browsing like travel, games, and pornography sites. Pakistani targeting continued in the years following, as reported by ESET in 2013 and noted in the below Operation Hangover report.
Chinese Government Officials
Multiple cases starting in 2009 involved data theft operations against Chinese government officials. These include the successful compromise of multiple PLA officers. Around the same time operators successfully compromised Military Liaison Officers with the same objective. Notably, these attacks were carried out shortly after Indian government officials made public statements they had observed cyber attacks on Indian government networks and attributed the activity to China.
There are also many cases of domestic targeting. For example, in one case the Intelligence organization within a local police force enlisted Appin to conduct defacement attacks on specific Sikh websites and to steal login credentials of email accounts belonging to Sikhs in India and the U.S. One such inbound request reviewed contained a formal request document for Appin to break into the personal Gmail account of a specific individual, labeled as a domestic terrorist target. In an unrelated campaign, the group also used the domain
speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on an Indian individual later targeted by the ModifiedElephant APT.
KitM Mac Spyware
In 2013, F-Secure analyzed and reported (1,2,3) on the technical details of Mac spyware originally discovered on the machine of an Angolan activist while visiting the Oslo Freedom Forum (“a global gathering of activists united in standing up to tyranny.”). This Mac spyware was quite unique at the time, and ultimately dubbed KitM (‘Kumar in the Mac’, referring to the certificate issued under the name ‘Rajinder Kumar’, used to sign all of the samples), and made use of Appin owned and operated infrastructure. The newly reviewed data provided some of the context behind this campaign and the confirmation of actor attribution to Appin.
One of the more interesting links to previous reporting is the overlap with Operation Hangover. This 2013 report was a unique deepdive into threat activity around an industrial espionage campaign against the Norwegian telecommunications corporation, Telenor, along with other private companies. The authors note multiple strong links between the Appin organization and the attacks observed in-the-wild. Our new findings confirm that the malware and attack infrastructure noted in the Operation Hangover report were indeed owned and controlled by Appin, such as
taraanasongs[.]com and others highlighted in here.
Below is a graphic depicting the process of acquiring Operation Hangover-related domains. In late October 2009, an operator requested a “new domain for phishing and exe upload” from their manager. The manager then forwarded the request, which made its way to executive staff and finance manager after approval. A day later the operator acknowledged the new domain (
taraanasongs[.]com), and the manager informed the executive staff of its acquisition.
Infrastructure Acquisition and Use
Leading hack-for-hire organizations are faced with important segmentation requirements in order to limit the discovery of their infrastructure. If a researcher were to discover what connects all points of their infrastructure together, it would risk the entire set of customer operations.
Appin’s method of acquiring and managing infrastructure for years was handled through a particular outside contractor. At the time, this individual would register the domains and set up hosting solutions as needed for a project. Appin operators would request a type of server, including some technical requirements, and which operator is assigned for its use.
The consultant would then purchase the server, set it up as instructed, provide credentials for remote access to the operator and Appin leadership, and conclude the interaction with an invoice detailing payment. Based on the data reviewed, the consultant made the purchases through a collection of repeated personal and business branded email accounts, in addition to overlapping registration and hosting details.
The types of servers requested generally centered around a handful of main purposes.
- Exfiltration – Often referred to as FTP servers or Data Transfer servers in the early years, malware would use these as the destination for exfiltrating stolen data. One may also find the logs of an Appin owned and operated exfiltration server useful for victim identification. For example, those originating from devinmartin[.]net highlight a global victim spread as previously noted. Data was uploaded to this specific FTP server with accounts:
stealth@devinmartin[.]net keylogs@devinmartin[.]net radar@devinmartin[.]net 123456@devinmartin[.]net devinmartin@devinmartin[.]net revolution@devinmartin[.]net devinmart@devinmartin[.]net reloaded@devinmartin[.]net cinema@devinmartin[.]net lux@devinmartin[.]net
- C2 and Delivery Servers – Malware command and control, or hosting malware for download.
- Phishing – Hosted web pages for credential phishing. In many cases the same phishing pages were available through multiple target-named subdomains and URLs.
- Lure Sites – An interesting technique was the use of referenced “honeypots”. These sites would often be themed around a specific topic and lured the target to interact for credential phishing or malware delivery. One such example is
islam-jindabad.blogspot[.]com, which remains online at the time of this writing. It was created in 2009 and referred to as a “honey pot” to Appin operators. The domain led to a second domain that delivered malware after clicking an image. The destination address of these images is
- VPS Server – Generic multi-purpose server for non-attributable access to victim machines and attack infrastructure administration. Typically accessed through SSH.
Additionally, a non-standard server type was also used by Appin covert communications. The business made use of specific websites for customer project tracking and data sharing. This was variously referred to as GoldenEye, Commando, or MyCommando, and acted as a place where customers could log in to view and download campaign specific data and status updates, communicate securely, and manage other aspects of their projects.
This is the same “Secured Project Management Portal” highlighted in an Appin marketing presentation, first shared by Reuters in their June 2022 mercenary hacker investigative report.
Malware and Exploit Development
Appin made use of the California-based freelancing platform Elance (now known as Upwork) to purchase malware from external software developers, while also using internal employees to develop those projects and their own tools. Elance jobs were posted by Appin under the username “appinsecuritygroup”, and a profile set with the full name and
appinonline[.]com email address of an Appin executive.
An example of Elance use is the purchase of the USB Propagator tool from the freelancer “alexstinger”. The original job posting was titled “Creation of Advanced Data Backup Utility”. The same tool is also referenced in the Operation Hangover report. The original version was purchased in 2009, for $500, after troubleshooting and source code delivery. The Elance job statement was completed on July 15th, 2009.
Appin advertised on Elance for many other software projects as well, including ones titled:
- Audio Recording Software on Windows
- Creation of a code obfuscator for C, Visual C++
- Exploits for research purpose on MS Office and IE
- MS Office Exploits to upgrade our IPS/Antivirus!
- R&D in vulnerability research in Eastern Europe
A summary of the job post for “R&D in vulnerability research in Eastern Europe” shows the following.
|Description||To outsource research in exploits and vulnerabilities on a monthly retainer basis to expert organization in Eastern Europe|
|Skills Required||Vulnerability and Exploits Gathering, Exploit Development|
|Focus/Deliverables||Development of exploits on existing vulnerabilities or customization of exploit samples on the internet related to MS Office (Word, Excel, PowerPoint 2007/2003 etc), Adobe PDF, Browsers IE 6/7, Mozilla Firefox, Opera.|
|Minimum Expectation||At least two exploits a month, Exploits should be customizable with payloads, Minimum detection from AV, Weekly report on successes / failures.|
A recurring problem with these job postings was that freelancers quickly rejected them after noting the low payment amount and questioning whether they were intended for malicious use.
Appin made use of a large amount of private spyware and exploit services over the years, too. For example, in 2010 they purchased mobile spyware services through Vervata, the business behind the FlexiSPY mobile stalkerware. When this transaction was conducted, the domain
mobilebackup[.]biz was used by operators for install guides, software downloads, and reviewing victim mobile device data. While this is historical data, it remains the case that FlexiSPY stalkerware is still marketed and sold today.
Appin later pursued the purchase of exploits from leading private vendors at the time, including Vupen and Core Security. Business interests also involved the opportunity for Appin to act as an exploit reseller for Vupen to the Indian Government.
As noted, some malware was developed internally, including a keylogger. Associated data and communications reveal the initial intention of an employee first sharing their development of the keylogger to Appin leadership in August 2009. In a reviewed message, the employee noted a new keylogger being built which has the ability to upload logs to the FTP server.
Over the following weeks and months, tests were conducted to showcase the keylogger’s capabilities. Here is one such file in which the developer tested the keylogger’s functionality, being detected by third party antivirus solutions. Data redacted included the developer’s personal email address.
Months later the keylogger was being used in live operations, including in a campaign targeting the Pakistan government. Government victim data included personal email addresses and instant messaging activity, browsing for new jobs in the Pakistan Navy, reading/printing ISPR news, and other personally sensitive online activity.
The Hack-For-Hire Business
Although hack-for-hire organizations in India and elsewhere have evolved markedly over the years as both the technology available to them and the ecosystem in which they operate have changed, a clear snapshot of Appin’s activity starting from around the early 2000’s provides invaluable insight into the inner workings of such businesses.
Ignoring Appin’s many business offerings related to network penetration testing, website security auditing, training and more, we can focus on the part most interesting to cyber defenders and threat intelligence analysts: the hack-for-hire offerings. Below is a proposed offering of Appin’s ‘Special Services Division’ made to India’s Chhattisgarh Police Cyber Investigation Cell.
While a full review of the business structure is outside the scope of this report, a few relevant cybersecurity observations are useful to list:
- Offensive security services provided to customers, well over a decade ago, included data theft across many forms of technology, often internally referred to as “interception” services. These included keylogging, account credential phishing, website defacement, and SEO manipulation/disinformation. They would also accommodate other technical requests from a customer on-demand, such as cracking passwords from stolen documents.
- Operations Security (OPSEC) is taken seriously in theory, but was inadequately executed in practice. Operators, developers, and leadership were disciplined to not discuss project specifics (targets, customers, tools, etc.) through weak communication channels. However, it appears that leadership repeatedly initiated the failure to abide by those standards. Examples of this include analysts refusing to write down confidential technical information related to sensitive operations, while leadership openly discussed and documented the same details.
- The roles of individual operators are often built uniquely around their skill sets, rather than formal responsibilities based on a structured role. This includes operators and developers mixing tasks depending on the individual’s interests and career tenacity.
- There is a strong, financially incentivised push from leadership to all individual operators and developers for innovative ideas that can better achieve success on behalf of their customers. This includes finding new tools and techniques to accomplish the desire of the customer. Some OPSEC gaps originate from the resulting unchecked innovation.
A Day in the Life
While the operator and developer roles proved fluid over time, we can glimpse the leadership’s priorities based on weekly task lists handed down to the early ‘development’ group. Tasks were assigned to individuals, including the following objectives:
1) Individual A:
- Build fully functional & undetectable malicious documents using exploits.
- Resolve issues of malware not collecting specific messaging software logs.
- Coordinate with exploit developers (internal) for other ongoing campaigns.
2) Individual B:
- Build and finish the new network lateral movement solution.
- Rebuild “FTP Backup trojan” to make it fully undetectable.
3) Individual C:
- Build a new process with exploit developers (internal) for weekly use of new fully-undetectable attack tools.
- Troubleshoot phishing website problems, such as specific language characters not recording properly.
- Educate operators on other internal tools.
It’s ultimately unsurprising to learn of tasks and the individuals assigned to them; however, it is useful when contextualizing the overlapping technical links and improvements between campaigns, such as version updates of the FTP Backup trojan.
Our examination of the Indian hack-for-hire group Appin underscores the enduring and substantial threat posed by such entities to businesses, governments, and individuals over an extended period exceeding a decade. The research findings underscore the group’s remarkable tenacity and a proven track record of successfully executing attacks on behalf of a diverse clientele. The technical insights and infrastructure provided by our study offer a valuable resource for mapping associated malicious activities and reevaluating past incidents with a renewed perspective.
The concerning resilience of these groups, coupled with their capacity to attract new clients despite heightened public scrutiny, emphasizes the urgent necessity for enhanced international cooperation and the establishment of robust legal frameworks to effectively address this escalating challenge. In light of advancing technologies and a growing demand for digital espionage and cybercrime services, it is imperative for governments, businesses, and high-risk individuals to proactively implement measures to protect themselves against these formidable, adaptable, and thriving hack-for-hire threat actors.
Historical Indicators of Compromise
Note, some of the following indicators have since been used for legitimate reasons or sinkholed. Therefore, we advise caution if considering these as active indicators in their current state.