印度黑客组织在过去10年中瞄准美国、中国等国家

An Indian hack-for-hire group targeted the U.S., China, Myanmar, Pakistan, Kuwait, and other countries as part of a wide-ranging espionage, surveillance, and disruptive operation for over a decade.

一个印度雇佣黑客团队针对美国、中国、缅甸、巴基斯坦、科威特和其他国家进行了为期十年的广泛间谍、监视和破坏行动。

The Appin Software Security (aka Appin Security Group), according to an in-depth analysis from SentinelOne, began as an educational startup offering offensive security training programs, while carrying out covert hacking operations since at least 2009.

根据 SentinelOne 的深入分析，Appin 软件安全（又称 Appin 安全集团）始于一个提供攻击性安全培训计划的教育初创公司，自 2009 年以来一直在进行秘密黑客行动。

In May 2013, ESET disclosed a set of cyber attacks targeting Pakistan with information-stealing malware. While the activity was attributed to a cluster tracked as Hangover (aka Patchwork or Zinc Emerson), evidence shows that the infrastructure is owned and controlled by Appin.

2013 年 5 月，ESET 披露了一系列针对巴基斯坦的网络攻击，使用盗取信息的恶意软件。虽然这些活动被归因于一个名为 Hangover 的集群（又称 Patchwork 或 Zinc Emerson），但证据显示其基础设施由 Appin 拥有和控制。

"The group has conducted hacking operations against high value individuals, governmental organizations, and other businesses involved in specific legal disputes," SentinelOne security Tom Hegel said in a comprehensive analysis published last week.

"该组织已对高价值个人、政府组织和其他涉及特定法律纠纷的企业进行黑客行动，" SentinelOne 安全研究员汤姆·海格尔在上周发表的一篇全面分析中说。

"Appin's hacking operations and overall organization appear at many times informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs with significant success."

"尽管 Appin 的黑客行动和整体组织在许多时候显得不正式、笨拙和技术上粗糙，但它们的操作对其客户来说非常成功，对世界事务产生了重大影响。"

The findings are based on non-public data obtained by Reuters, which called out Appin for orchestrating data theft attacks on an industrial scale against political leaders, international executives, sports figures, and others. The company, in response, has dismissed its connection with the hack-for-hire business.

这些发现基于路透社获取的非公开数据，该数据揭露了 Appin 对政治领袖、国际高管、体育界人士和其他人进行了工业规模的数据窃取攻击。该公司对此表示否认，称其与雇佣黑客业务无关。

One of the core services offered by Appin was a tool "MyCommando" (aka GoldenEye or Commando) that allowed its customers to log in to view and download campaign-specific data and status updates, communicate securely, and choose from various task options that range from open-source research to social engineering to a trojan campaign.

Appin 提供的核心服务之一是一个名为“我的突击队”（又称 GoldenEye 或 Commando）的工具，该工具允许客户登录查看和下载特定活动数据和状态更新，安全通信，并可从各种任务选项中选择，涵盖从开源研究到社交工程到特洛伊木马活动。

The targeting of China and Pakistan is confirmation that an Indian-origin mercenary group has been roped in to conduct state-sponsored attacks. Appin has also been identified as behind the macOS spyware known as KitM in 2013.

针对中国和巴基斯坦的攻击证实了一个印度起源的雇佣军团队被拉入进行国家支持的攻击。Appin 还被确认是 2013 年 macOS 间谍软件 KitM 的幕后策划者。

What's more, SentinelOne said it also identified instances of domestic targeting with the goal of stealing login credentials of email accounts belonging to Sikhs in India and the U.S.

此外，SentinelOne 还认为，其还发现了国内定向攻击的例子，目的是窃取属于印度和美国锡克教徒的电子邮件帐户的登录凭据。

"In an unrelated campaign, the group also used the domain speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on an Indian individual later targeted by the ModifiedElephant APT," Hegel noted. It's worth noting that Patchwork's links to ModifiedElephant were previously identified by Secureworks.

"在另一个无关的行动中，该组织还使用了域名 speedaccelator[.]com 作为 FTP 服务器，托管了用于恶意钓鱼邮件中的恶意软件，其中之一后来被 ModifiedElephant APT 攻击了印度个人。"

Besides leveraging a large infrastructure sourced from a third-party for data exfiltration, command-and-control (C2), phishing, and setting up decoy sites, the shadowy private-sector offensive actor (PSOA) is said to have relied on private spyware and exploit services provided by private vendors like Vervata, Vupen, and Core Security.

除了利用来自第三方的大型基础设施进行数据窃取、命令和控制 (C2)、钓鱼和设置幌子网站之外，这个阴暗的私营部门进攻性行动者（PSOA）据说还依赖于由 Vervata、Vupen 和 Core Security 等私营供应商提供的私人间谍软件和利用服务。

In another noteworthy tactic, Appin is said to have leveraged a California-based freelancing platform referred to as Elance (now called Upwork) to purchase malware from external software developers, while also using its in-house employees to develop a custom collection of hacking tools.

另一个值得注意的战术是，Appin 据说利用了一个名为 Elance（现在称为 Upwork）的加利福尼亚自由职业平台，以从外部软件开发人员那里购买恶意软件，同时还利用其内部员工开发了一套自定义的黑客工具。

"The research findings underscore the group's remarkable tenacity and a proven track record of successfully executing attacks on behalf of a diverse clientele," Hegel said.

Hegel 表示，这些研究结果突显了该组织的不屈不挠精神和成功执行多样化客户攻击的记录。

The development comes as Aviram Azari, an Israeli private investigator, was sentenced in the U.S. to nearly seven years in federal prison on charges of computer intrusion, wire fraud, and aggravated identity theft in connection with a global hack-for-hire scheme between November 2014 to September 2019. Azari was arrested in September 2019.

这一发展发生在以色列私人调查员 Aviram Azari 在美国因计算机侵入、电信诈骗和侵犯个人信息的罪名被判处将近七年联邦监狱之际，这一全球雇佣黑客计划涉及 2014 年 11 月至 2019 年 9 月。Azari 于 2019 年 9 月被逮捕。

"Azari owned and operated an Israeli intelligence firm," the Department of Justice (DoJ) said last week. "Clients hired Azari to manage 'Projects' that were described as intelligence gathering efforts but were, in fact, hacking campaigns specifically targeting certain groups of victims."

"DoJ 上周表示，Azari 拥有并经营以色列情报公司，客户雇用 Azari 管理所谓的 '项目'，这些项目被描述为情报收集努力，但实际上是有目的地定位某些受害者群体的黑客活动。"

Aviram has also been accused of using mercenary hackers in India, a company called BellTroX Infotech (aka Amanda or Dark Basin), to help clients gain an advantage in court battles via spear-phishing attacks and ultimately gain access to victims' accounts and steal information.

Aviram 还被指控在印度使用雇佣黑客团队，一个名为 BellTroX Infotech 的公司（又称 Amanda 或 Dark Basin），通过针对某些受害者的授钓鱼和最终获取受害者帐户并窃取信息，来帮助客户在法庭斗争中获得优势。

BellTrox was founded by Sumit Gupta in May 2013. Reuters disclosed in June 2022 that prior to launching the company, Gupta had worked for Appin.

BellTrox 由 Sumit Gupta 在 2013 年 5 月创立。路透社在 2022 年 6 月曝光，在创立该公司之前，Gupta 曾在 Appin 工作。

原文始发于微信公众号（知机安全）：印度黑客组织在过去10年中瞄准美国、中国等国家