A recently published deck (PDF) by Abu Dhabi-based DarkMatter’s Taha Karim draws an interesting conclusion: that an Indian cybersecurity group called Appin, active a few years ago, was either targeted by an advanced APT group (and its tools stolen), or its tools stolen by a rogue employee, or that its tools were sold to a third party. The reason: Karim found evidence of Appin’s tools and infrastructure in covert hacks into governments by a group with overlaps to several existing APT actors, some with links to Russia.
The groups that Karim’s report finds overlaps with (either modus operandi, infrastructure, similarities in coding practice etc) are:
- Bahamut: Discovered by Bellingcat, they also have a Middle East focus, but possibly also Asian and Russian angles.
- Fancy Bear: AKA APT28 and Sofacy, believed to be Russian state sponsored.
- Carbanak: APT-style bank-targetting group, with targets mainly in Russia.
- DarkHotel: Another APT, so called because it lurked in hotel WiFi networks.
- Morpho AKA Wild Neutron: first spotted in 2013, an APT aimed at technology and pharma companies.
The possible connection with Appin is in a likely rewrite of surveillance malware called Hack Back aka KitM OSX: DarkMatter found the exact helper function re-used, the same C&C servers and some other similarities.
DarkMatter calls the APT it has discovered Windshift and says it is currently targeting government using Appin tools. It does not attempt to offer attribution, says it’s been operating since at least January 2017, goes after specific individuals (judging from the screenshots, Gulf states) using “versatile, sophisticated and unpredictable” spearphish, and is still active.
Appin was an Indian cybersecurity company blamed in some accounts for cyberespionage attacks back in 2013. The company fiercely denied the reports. Not much has been heard of the company since though reports of its tools appearing elsewhere have surfaced from time to time. Last Year a company called Cymmetria believed it saw a connection with Appin in an attack it called Patchwork that was aimed at South Asian and Southeast Asian targets, and appeared to be ‘pro-Indian’:
Carefully, we feel obligated to note that further evidence suggests potential links between this threat actor and the operations known as Hangover/Appin, but this possible link is still being researched and is far from conclusive.
Appin has been out of the public eye for a few years now, but its CEO, Rajat Khare has recently resurfaced as an investor, via his Boundary Holding company, in a Singapore video analytics startup called XRVision.