And not in a good way.
From Reuters, November 16:
Appin was a leading Indian cyberespionage firm that few people even knew existed. A Reuters investigation found that the company grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe. Appin alumni went on to form other firms that are still active.
Chuck Randall was on the verge of unveiling an ambitious real estate deal he hoped would give his small Native American tribe a bigger cut of a potentially lucrative casino project.
A well-timed leak derailed it all.
In July of 2012, printed excerpts from Randall’s private emails were hand-distributed across the Shinnecock Nation’s square-mile reservation, a wooded peninsula hanging off the South Fork of Long Island.
The five-page pamphlets detailed secret negotiations between Randall, his tribal government allies and outside investors to wrest some of the profits from the tribe’s then-partner in the gambling deal.
They sparked an uproar. The pamphlets claimed Randall’s plan would sell out the tribe’s “LANDS, RESOURCES, and FUTURE REVENUES.” Within days, four of Randall’s allies were voted out of tribal government. Randall, who held no formal position with the tribe, was ordered to cease acting on its behalf.
Amid the upheaval, the Shinnecocks’ casino hopes faded. “We lost the biggest economic opportunity that has come to the tribe in forever,” Randall told Reuters. “My emails were weaponized.”
The scandal that roiled the Shinnecocks barely registered beyond the reservation. But it was part of a phenomenon that has drawn interest from law enforcement and intelligence agencies on both sides of the Atlantic.
Randall’s inbox was breached by a New Delhi-based information technology firm named Appin, whose sudden interference in the matters of a faraway tribe was part of a sprawling cyber-mercenary operation that extended across the world, a Reuters investigation found.
The Indian company hacked on an industrial scale, stealing data from political leaders, international executives, prominent attorneys and more. By the time of the Shinnecock scandal, Appin was a premier provider of cyberespionage services for private investigators working on behalf of big business, law firms and wealthy clients.
Unauthorized access to computer systems is a crime worldwide, including in India. Yet at least 17 pitch documents prepared for prospective business partners and reviewed by Reuters advertised Appin’s prowess in activities such as “cyber spying,” “email monitoring,” “cyber warfare” and “social engineering,” security lingo for manipulating people into revealing sensitive information. In one 2010 presentation, the company explicitly bragged about hacking businessmen on behalf of corporate clients.
Reuters previously named Appin in a story about Indian cyber mercenaries published last year. Other media outlets – including The New Yorker, Paris-based Intelligence Online, Swiss investigative program Rundschau and tech companies such as Alphabet-owned Google– have also reported on the firm’s activities.
This report paints the clearest picture yet of how Appin operated, detailing the world-spanning extent of its business, and international law enforcement’s abortive efforts to get a handle on it.
Run by a pair of brothers, Rajat and Anuj Khare, the company began as a small Indian educational startup. It went on to train a generation of spies for hire that are still in business today.
Several cyber defense training organizations in India carry the Appin name, the legacy of an old franchise model. But there’s no suggestion that those firms are involved in hacking.
The Indian company hacked on an industrial scale, stealing data from political leaders, international executives, sports figures and more.
Rajat Khare’s U.S. representative, the law firm Clare Locke, rejected any association between its client and the cyber-mercenary business. It said Khare “has never operated or supported, and certainly did not create, any illegal ‘hack for hire’ industry in India or anywhere else.”
In a series of letters sent to Reuters over the past year, Clare Locke said that “Mr. Khare has dedicated much of his career to the fields of information technology security – that is, cyber-defense and the prevention of illicit hacking.”
Clare Locke said that, under Khare’s tenure, Appin specialized in training thousands of students in cybersecurity, robotics and artificial intelligence, “never in illicit hacking.” The lawyers said Khare left Appin, in part, because rogue actors were operating under the company’s brand, and he wanted “to avoid the appearance of associations with people who were misusing the Appin name.”
The lawyers described media articles tying Khare to hacking as “false” or “fundamentally flawed.” As for the 2010 Appin presentation boasting of hacking services, they said Khare had never seen it before. “The document is a forgery or was doctored,” they said.
Clare Locke added that Khare could not be held responsible for Appin employees who went on to work as mercenary hackers, saying that doing so “would be akin to holding Harvard University responsible for the terrorist bombings carried out by its former student Ted Kaczynski,” referring to the former math prodigy known as the “Unabomber.”
A lawyer acting for Rajat’s brother, Anuj, said his client’s position was the same as the one laid out by Clare Locke.
This report on Appin draws on thousands of company emails as well as financial records, presentations, photos and instant messages from the firm. Reporters also reviewed case files from American, Norwegian, Dominican and Swiss law enforcement, and interviewed dozens of former Appin employees and hundreds of victims of India-based hackers. Reuters gathered the material – which spans 2005 until earlier this year – from ex-employees, clients and security professionals who’ve studied the company....
....MUCH MORE