The threat associated with nation-state-backed hacking groups has been well-researched and chronicled in recent times, but there’s another, equally dangerous set of adversaries that’s operated comparatively in the shadows for years.
These are hack-for-hire groups that specialize in breaking into systems and stealing email and other data as a service. Their clients can be private investigators, law firms, business rivals, and others that don’t have the capabilities to carry out these attacks on their own. Such cyber mercenaries often openly advertise their services and target any entity of interest to their clients, unlike state-backed advanced persistent threat (APT) actors, which tend to be stealthy and have specific missions and a tight target focus.
Researchers from Google’s Threat Analysis Group (TAG) this week released a report on the threat, using hack-for-hire ecosystems in India, Russia, and the United Arab Emirates as examples of the prolific nature of the criminal activity. The TAG researchers identified the services offered by cyber mercenaries as different from that offered by surveillance vendors that sell tools and capabilities for others — such as intelligence agencies and law enforcement — to use.
Broad Range of Targets
“The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets,” said Shane Huntley, director of Google TAG, in a blog Thursday.
As an example, he pointed to a recent operation that Google observed where an Indian hack-for-hire outfit targeted an IT company in Cyprus, a shopping company in Israel, a financial technology company in the Balkans, and an academic entity in Nigeria. In other campaigns, Google has observed these groups targeting human rights advocates, journalists, and political activists.
“They also conduct corporate espionage, handily obscuring their clients’ role,” Huntley wrote.
Google’s report on hack-for-hire activity coincided with a lengthy Reuters investigative report on how parties involved in courtroom litigation have in recent years hired Indian cyber mercenaries to steal information from the other side that would give them an edge in the battle.
Reuters said it was able to identify at least 35 instances going back to 2013, when someone involved in a lawsuit hired Indian hackers to obtain information from the entity they were litigating against. One of them involved a $1.5 billion legal battle between the Nigerian government and the heirs of an Italian businessman over control of an oil company.
In each of these instances, the hackers sent phishing emails to targeted victims with malware for stealing credentials for their email accounts and other data.
Numerous Hacking-for-Hire Victims
Reuters said it identified some 75 US and European companies, three dozen advocacy groups, and numerous business executives in western countries that were the targets of these attacks. In all, over the seven-year period that was the focus of the investigation, Indian hackers sent some 80,000 phishing emails to 13,000 targets across multiple countries.
Among those whose email inboxes the attackers tried to access were at least 1,000 attorneys at 108 law firms, such as Baker McKenzie and Cooley and Cleary Gottlieb in the US and Clyde & Co. and LALIVE in Europe.
Reuters described the report as being based on information from victim interviews, US government officials, lawyers, and court documents from seven countries. Also helping with the investigation was a database of those tens of thousands of emails sent by the Indian hackers that Reuters said it received from two email providers.
“The database is effectively the hackers’ hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020,” the Reuters story stated.
Among the Indian entities that Reuters named in its report were Appin, BellTroX, and Cyberoot — all of which shared infrastructure and staff at some point.
Tracking Cyber Campaigns
Google said it also has been tracking Indian hack-for-hire operators, many of which were associated with Appin and BellTroX, since 2012. A lot of the activity has focused on organizations in the government, telecom, and healthcare sectors in the UAE, Saudi Arabia, and Bahrain, according to TAG.
Google’s report also described hack-for-hire operators that TAG researchers have been tracking in Russia and the UAE. One of them is a previously known Russian actor that others have referred to as Void Balaur, which has spied on thousands of individuals and stolen private information about them for sale to various clients.
This is not the first time that security researchers have sounded a warning on hackers-for-hire. Trend Micro, for instance, reported on the Void Balaur threat in November 2021. A year prior, BlackBerry security researchers reported on a hack-for-hire group it had observed called CostaRicto, which targeted victims in multiple countries, many of them in South Asia.
“The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients,” TAG’s Huntley wrote.