An investigation by the Reuters news agency has revealed a network of ‘hack-for-hire‘ groups in India who break into the online accounts of businesses and individuals to steal data for paying clients.
An accompanying blog post by Google’s security research team details similar operations in Russia and the UAE. Unlike other commercial cybercrime operations, which provide technical services, these ‘hack-for-hire’ groups carry out attacks on their clients’ behalf, Google said.
Published today, Reuters’ investigation identifies a network of hackers based in India, who were routinely hired to gain illegal access to information and documents from businesses, political organisations and individuals. This criminal activity was often linked to legal proceedings, Reuters found.
The network was revealed after two email service providers, which the hackers had used to send phishing emails, shared their records with reporters. This revealed that at least 75 US and European companies, numerous media and advocacy groups, and business executives, had been targeted by the hackers. The targets included Adam Neumann, former CEO of troubled co-working start-up WeWork, Reuters reported.
When approached by Reuters, the majority of the targets said they were either involved in litigation, or expected to be, when the hackers attempted to breach them. Their lawyers were often targeted as well.
Working with security researchers at Mandiant, Google and LinkedIn, the reporters linked the hackers to three Indian companies; Appin, BellTroX and CyberRoot. The evidence reveals ‘hack-for-hire’ activity by the companies between 2013 and 2020, Reuters said.
BellTroX had previously been exposed by researchers at Citizen Lab, after a journalist was targeted and traced the attack back to the Indian company. That investigation revealed that the group’s victims included numerous environmental groups, including Greenpeace.
But the scale of the operation surrounding BellTroX is being revealed for the first time, Reuters said today.
“The email trove provides a startling look at how lawyers and their clients are targeted by cyber mercenaries,” Reuters wrote, “but it leaves some questions unanswered”. Most significant of these is who hired the hackers.
The FBI is investigating the network, Reuters reported, as are many of the targeted organisations.
Cybermercenaries: How ‘hack-for-hire’ groups work
In a blog post accompanying the Reuters investigation, Google’s Threat Analysis Group (TAG) shared information on how ‘hack-for-hire’ groups, also known as ‘cyber-mercenaries’, work.
Google TAG distinguishes these ‘hack-for-hire’ groups from commercial surveillance providers who sell technical capabilities. The groups, it says, “conduct the attacks themselves”.
Some groups operate openly as commercial enterprises, marketing their services as ‘corporate espionage’, Google said, while others are more discrete. Some, such as those exposed in the Reuters investigation, often work for private investigators.
In addition to the Indian ‘cluster’ of hack-for-hire groups, TAG’s blog post outlines similar operations in Russia and the United Arab Emirates.
The Russian group – previously dubbed ‘Void Baluar‘ – targets “journalists, politicians across Europe, and various NGOs and non-profit organisations,” as well as “everyday citizens”.
The group in the UAE, which was investigated by Amnesty International in 2018, typically targets government and political organisations in the Middle East and North Africa.
To help security teams combat these groups, Google published a list of dummy domains they use to trick users into clicking links. These are so-called ‘typosquatting’ domains, such as ‘rnanage-icloud’ or ‘mail-goolge’ that look like legitimate URLs at a glance.
“We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across the industry,” wrote TAG researcher Shane Huntley in the blog post.
Read more: Iran’s steel industry hit by cyberattack as tensions with Israel rise