View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 30, 2022updated 05 Apr 2023 9:26am

Investigation reveals network of Indian ‘hack-for-hire’ groups who steal data for paying clients

Reuters investigation reveals network of 'cyber-mercenary' groups who target businesses, political groups and individuals.

By Claudia Glover

An investigation by the Reuters news agency has revealed a network of ‘hack-for-hire‘ groups in India who break into the online accounts of businesses and individuals to steal data for paying clients.

An accompanying blog post by Google’s security research team details similar operations in Russia and the UAE. Unlike other commercial cybercrime operations, which provide technical services, these ‘hack-for-hire’ groups carry out attacks on their clients’ behalf, Google said.

‘Hack-for-hire’ groups have been revealed before but the scale of the Indian operation is only now coming to light (Image by Rich Legg / iStock)

Published today, Reuters’ investigation identifies a network of hackers based in India, who were routinely hired to gain illegal access to information and documents from businesses, political organisations and individuals. This criminal activity was often linked to legal proceedings, Reuters found.

The network was revealed after two email service providers, which the hackers had used to send phishing emails, shared their records with reporters. This revealed that at least 75 US and European companies, numerous media and advocacy groups, and business executives, had been targeted by the hackers. The targets included Adam Neumann, former CEO of troubled co-working start-up WeWork, Reuters reported.

When approached by Reuters, the majority of the targets said they were either involved in litigation, or expected to be, when the hackers attempted to breach them. Their lawyers were often targeted as well.

Working with security researchers at Mandiant, Google and LinkedIn, the reporters linked the hackers to three Indian companies; Appin, BellTroX and CyberRoot. The evidence reveals ‘hack-for-hire’ activity by the companies between 2013 and 2020, Reuters said.

BellTroX had previously been exposed by researchers at Citizen Lab, after a journalist was targeted and traced the attack back to the Indian company. That investigation revealed that the group’s victims included numerous environmental groups, including Greenpeace.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

But the scale of the operation surrounding BellTroX is being revealed for the first time, Reuters said today.

“The email trove provides a startling look at how lawyers and their clients are targeted by cyber mercenaries,” Reuters wrote, “but it leaves some questions unanswered”. Most significant of these is who hired the hackers.

The FBI is investigating the network, Reuters reported, as are many of the targeted organisations.

Cyber mercenaries: How ‘hack-for-hire’ groups work

In a blog post accompanying the Reuters investigation, Google’s Threat Analysis Group (TAG) shared information on how ‘hack-for-hire’ groups, also known as ‘cyber mercenaries’, work.

Google TAG distinguishes these ‘hack-for-hire’ groups from commercial surveillance providers who sell technical capabilities. The groups, it says, “conduct the attacks themselves”.

Some groups operate openly as commercial enterprises, marketing their services as ‘corporate espionage’, Google said, while others are more discrete. Some, such as those exposed in the Reuters investigation, often work for private investigators.

In addition to the Indian ‘cluster’ of hack-for-hire groups, TAG’s blog post outlines similar operations in Russia and the United Arab Emirates.

The Russian group – previously dubbed ‘Void Baluar‘ – targets “journalists, politicians across Europe, and various NGOs and non-profit organisations,” as well as “everyday citizens”.

The group in the UAE, which was investigated by Amnesty International in 2018, typically targets government and political organisations in the Middle East and North Africa.

To help security teams combat these groups, Google published a list of dummy domains they use to trick users into clicking links. These are so-called ‘typosquatting’ domains, such as ‘rnanage-icloud’ or ‘mail-goolge’ that look like legitimate URLs at a glance.

“We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across the industry,” wrote TAG researcher Shane Huntley in the blog post.

Read more: India’s semiconductor ambitions are grand. Fulfilling them will take a lot of work

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU