NEWS – “without comment”
A Reuters Special Report
How mercenary hackers sway litigation battles
SPY PHISHING: Hackers based in India attempted to obtain the emails of lawyers and litigants in legal cases across the globe, Reuters found.
A trove of thousands of email records uncovered by Reuters reveals Indian cyber mercenaries hacking parties involved in lawsuits around the world – showing how hired spies have become the secret weapon of litigants seeking an edge.
By RAPHAEL SATTER and CHRISTOPHER BING
Filed June 30, 2022
Bodyguard Carlo Pacileo was under mounting pressure. His boss, a direct sales entrepreneur named Ryan Blair, wanted compromising material against a business rival amid a flurry of lawsuits, Pacileo said. Nothing was turning up.
So he turned to a Silicon Valley detective he knew from his days in Afghanistan with the U.S. mercenary firm Blackwater. Nathan Moser, a former North Carolina sheriff’s deputy, arrived days later at Pacileo’s Hollywood apartment with a duffel bag full of surveillance equipment.
Moser showed Pacileo several gadgets, including Israeli-made listening devices that could be hidden in ceilings or behind television sets. One particular service stood out: Moser said he knew an Indian hacker who could break into emails. “My ears perked up,” Pacileo told Reuters recently. “I didn’t know you could do that type of stuff.”
Moser, who confirmed Pacileo’s account, got the job and a $10,000 per month retainer . He went to work for Blair’s company, diet shake distributor ViSalus, as it filed a series of lawsuits against sellers who had jumped ship to go with a competitor named Ocean Avenue.
Starting around February 2013, the Indian hacker – a young computer security expert named Sumit Gupta – broke into the email accounts of Ocean Avenue executives, sending screenshots and passwords back to his ViSalus handlers on the West Coast.
When Ocean Avenue learned of the spying, it filed a federal lawsuit against ViSalus in Utah alleging extortion, intimidation and hacking. ViSalus initially argued that its competitor had not provided enough evidence to back its claims; it later settled the suit on undisclosed terms.
ViSalus executives did not return messages seeking comment. Messages Reuters sent to Blair, who wasn’t named as a defendant in the suit, were marked as “seen” but went unanswered. He did not respond to certified letters sent to his business and home in Los Angeles.
The settlement didn’t end the matter. The Federal Bureau of Investigation learned of the hacking and, in February 2015, agents raided Pacileo’s and Moser’s homes. Both eventually pleaded guilty to computer crimes connected to the Ocean Avenue intrusions.
The convictions torpedoed Pacileo’s security career and ended Moser’s investigation business.
For Gupta it was just the beginning. Over the next decade, he and a small coterie of Indian colleagues built an underground hacking operation that would become a hub for private investigators, like Moser, who sought an advantage for clients embroiled in lawsuits.
Gupta, also charged with hacking in the California criminal case, was never apprehended by U.S. authorities. Reuters has not been able to reach him since 2020, when he told the news agency that while he did work for private investigators, “I have not done all these attacks.” Recent attempts to speak with or locate him were unsuccessful.
Reuters identified 35 legal cases since 2013 in which Indian hackers attempted to obtain documents from one side or another of a courtroom battle by sending them password-stealing emails.
The messages were often camouflaged as innocuous communications from clients, colleagues, friends or family. They were aimed at giving the hackers access to targets’ inboxes and, ultimately, private or attorney-client privileged information.
PHISHY ‘FRIEND’: A password-stealing email sent by Indian hackers masquerading as Facebook. Identifying details have been blurred./REUTERS research
At least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts, Reuters found.
The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,000 emails sent by Indian hackers to 13,000 targets over a seven-year period. The database is effectively the hackers’ hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020.
The data comes from two providers of email services the spies used to execute their espionage campaigns. The providers gave the news agency access to the material after it inquired about the hackers’ use of their services; they offered the sensitive data on condition of anonymity.
Reuters then vetted the authenticity of the email data with six sets of experts. Scylla Intel, a boutique cyber investigations firm, analyzed the emails, as did researchers from British defense contractor BAE, U.S. cybersecurity firm Mandiant, and technology companies Linkedin, Microsoft and Google.
Each firm independently confirmed the database showed Indian hacking-for-hire activity by comparing it against data they had previously gathered about the hackers’ techniques. Three of the teams, at Mandiant, Google and LinkedIn, provided a closer analysis, finding the spying was linked to three Indian companies – one that Gupta founded, one that used to employ him and one he collaborated with.
“We assess with high confidence that this data set represents a good picture of the ongoing operations of Indian hack-for-hire firms,” said Shane Huntley, head of Google’s cyber threat analysis team.
Reuters reached out to every person in the database – sending requests for comment to each email address – and spoke to more than 250 individuals. Most of the respondents said the attempted hacks revealed in the email database occurred either ahead of anticipated lawsuits or as litigation was under way.
The targets’ lawyers were often hit, too. The Indian hackers tried to break into the inboxes of some 1,000 attorneys at 108 different law firms, Reuters found.
Among the law firms targeted were global practices, including U.S.-based Baker McKenzie, Cooley and Cleary Gottlieb. Major European firms, including London’s Clyde & Co. and Geneva-based arbitration specialist LALIVE, were also hit. In 2018, the Indian hackers tried to compromise more than 80 different inboxes at Paris-based Bredin Prat alone.
Cleary declined comment. The five other law firms did not return messages.
“It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles,” said Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm.
The legal cases identified by Reuters varied in profile and importance. Some involved obscure personal disputes. Others featured multinational companies with fortunes at stake.
From London to Lagos, at least 11 separate groups of victims had their emails leaked publicly or suddenly entered into evidence in the middle of their trials. In several cases, stolen documents shaped the verdict, court records show.
“It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles.”
Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm
Aspects of Gupta’s operation have been reported on previously by Reuters , other media and cybersecurity researchers . But the breadth of his involvement in legal cases – and the role of a wider network of Indian hackers – are being reported here for the first time.
The FBI has been investigating the Indian hacking spree since at least early 2018 to determine who, beyond Moser, hired Gupta’s crew to go after American targets, according to three people briefed on the matter. The FBI declined to comment.
The email trove provides a startling look at how lawyers and their clients are targeted by cyber mercenaries, but it leaves some questions unanswered. The list doesn’t show who hired the spies, for example, and it wasn’t always clear whether the hacking was successful or, if so, how the stolen information was used.
Still, Google’s Huntley said the attempts to steal privileged information were troubling. “These attacks have real potential to undermine the legal process.”…………………….