Indian Court Orders Reuters To Take Down Investigative Report Regarding A ‘Hack-For-Hire’ Company

Over the years we've written about plenty of cyberespionge" companies. Some engage in spyware or surveillance ware. Others actively hack devices. Almost all of these eventually get exposed through dogged investigative reporting.

A few people reached out to point to this rather concerning Editor's note that was posted to Reuters this week:

Reuters has temporarily removed the article How an Indian startup hacked the world" to comply with a preliminary court order issued on Dec. 4, 2023, in a district court in New Delhi, India.

Reuters stands by its reporting and plans to appeal the decision.

The article, published Nov. 16, 2023, was based on interviews with hundreds of people, thousands of documents, and research from several cybersecurity firms.

The order was issued amid a pending lawsuit brought against Reuters in November 2022. As set forth in its court filings, Reuters disputes those claims.

I had missed the original article, now that the court has forced Reuters to take it down, it seems likely to get much more attention. You can find archives of it in multiple places. Though who knows if those will remain up. You can also find articles building on Reuters' investigative reporting.

The basic summary of the Reuters report is that an Indian firm, Appin Software Security, has been offering what is effectively hack for hire" services for over a decade.

Notably, Reuters reporters handed over the data they found to SentinelOne who did their own analysis of what was found, and it's pretty damning. Notably, the SentinelOne report appears to still be online.

Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009. Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors. Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another. Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations, and private businesses spread globally.

Our analysis and observations corroborate the June 2022 reporting from Reuters noting some of Appin's customers tied to major litigation battles. The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes. Appin's hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success.

Of course, I might never have heard about this at all if a court in New Delhi hadn't ordered Reuters to delete the story. And it's possible that you wouldn't have heard about it either.

Someone should come up with a name for that sorta situation.

I will note that in the original Reuters article, they note that the company's US legal representatives is the law firm Clare Locke, which we've spoken about before. They're the lawyers who often appear to brag about how their aggressive tactics are known to get stories killed in the media. Their website literally lists all the major media outlets they've gone after in the past.

So I guess it's little surprise that the firm would seek to suppress the story about them.

But the data and the report seen by SentinelOne are pretty damning.

The cybersecurity firm's exhaustive analysis of data that Reuters journalists collected showed near-conclusive links between Appin and numerous data theft incidents. These included theft of email and other data by Appin from Pakistani and Chinese government officials. SentinelOne also found evidence of Appin carrying out defacement attacks on sites associated with the Sikh religious minority community in India and of at least one request to hack into a Gmail account belonging to a Sikh individual suspected of being a terrorist.

The current state of the organization significantly differs from its status a decade ago," says Tom Hegel, principal threat researcher at SentinelLabs. The initial entity, Appin,' featured in our research, no longer exists but can be regarded as the progenitor from which several present-day hack-for-hire enterprises have emerged," he says.

Factors such as rebranding, employee transitions, and the widespread dissemination of skills contribute to Appin being recognized as the pioneering hack-for-hire group in India, he says. Many of the company's former employees have gone on to create similar services that are currently operational.

Reuters' report and SentinelOne's review have cast fresh light on the shadowy world of hack-for-hire services - a market niche that others have highlighted with some concern as well.

And the demand that the Reuters piece get removed only should draw that much attention towards Appin's behavior.