As technology becomes more integrated with everyday life, global cybercrime is also increasing. Chinese hackers with suspected state ties breached the All India Institute of Medical Sciences servers in 2022. Similarly, an Indonesian group known as “Hacktivist Indonesia” attacked over 12,000 Indian government websites. In addition to large-scale attacks by established hacking operations and state-sponsored cybercriminals, low-level cyberattacks on businesses and individuals have also increased in 2023. The world’s governments are looking to bilateral and multilateral organisations to establish a playbook for responding to threats in cyberspace, and India has created a number of cybersecurity cooperation agreements to keep up.
The Citizen Lab at the University of Toronto recently thrust the Indian hack-for-hire industry into the spotlight with a 2020 report that exposed the hacking group Dark Basin.
Unfortunately, India’s reputation as a hotspot of the hack-for-hire industry could jeopardise its role as an upcoming leader in global cybersecurity. “Hack-for-hire” refers to groups or individuals who sell unlawful computer access services, often to wealthy foreign clients. The Citizen Lab at the University of Toronto recently thrust the Indian hack-for-hire industry into the spotlight with a 2020 report that exposed the hacking group Dark Basin. This group targeted non-profit organisations based in the United States (US) that spoke out against the oil and gas conglomerate ExxonMobil. In the report, Citizen Lab was able to link the Dark Basin hacks to BellTroX, a hack-for-hire firm in India. Following the report, Reuters identified additional victims across France, South Africa, and Mexico. As India pursues international partnerships with an eye on cybersecurity, its domestic hack-for-hire problem could prove to be a liability.
Staying ahead of cyber threats
India’s cybersecurity efforts start with its national cybersecurity strategy. The updated National Cyber Security Strategy will soon replace the previous 2013 guidelines to ensure that India stays up-to-date in the changing landscape of cybersecurity. The new strategy will be built on the principle of common but differentiated responsibility (CBDR), meaning that in addition to the government, internet actors like businesses and universities are also responsible for keeping Indian cyberspace secure. CBDR recognises that cybersecurity is an interconnected issue and engages all parties to protect critical infrastructure like telecommunications, transportation, healthcare, and financial services.
The updated National Cyber Security Strategy will soon replace the previous 2013 guidelines to ensure that India stays up-to-date in the changing landscape of cybersecurity.
India is also party to numerous international cybersecurity partnerships. In addition to multilateral partnerships like the International Multilateral Partnership Against Cyber Threats (IMPACT) and the Quadrilateral Security Dialogue—a grouping comprising Australia, Japan, India and the US—India has also entered into a number of bilateral partnerships with nations including Israel, Egypt, and Maldives. India is widely seen as a valuable partner on cybersecurity issues because of its highly developed information technology (IT) industry and government investment in digitalisation; however, these factors have also created conditions for the hack-for-hire industry to thrive. If the domestic hack-for-hire industry continues to go unaddressed, partners may begin to question India’s commitment to cybersecurity principles.
Lack of enforcement
A lack of consequences for hackers that contract themselves out to foreign clients has only encouraged the hack-for-hire industry in India. US prosecutors indicted Sumit Gupta, the Director of Indian hacking firm BellTroX in 2015 for hacking on behalf of two American lawyers, yet the Indian government never took action against him. After he failed to be convicted in 2015, BellTroX went on to commit the Dark Basin hacks in 2020. BellTroX also surfaced as part of a criminal case against an Israeli private detective who hired Indian hacking firms on behalf of unnamed clients in Israel, Europe, and the US. The private detective pleaded guilty in 2022, but the hackers in India have yet to face any legal consequences.
BellTroX also surfaced as part of a criminal case against an Israeli private detective who hired Indian hacking firms on behalf of unnamed clients in Israel, Europe, and the US.
This lack of enforcement is not because India does not have the legal infrastructure to prosecute cybercrimes; the Information Technology Act of 2000, and its subsequent amendments in 2008 specifically criminalise unauthorised computer usage and identity theft through electronic means along with other cybercrimes. Although cyberspace is a relatively new domain, failure to adapt new strategies for fighting digital crime is also not the reason for India’s reluctance to crack down on hack-for-hire operations. The Indian government has greatly improved its policing of cybercrimes in recent years, including combating online financial fraud through Operation Chakra, an initiative which aligns Indian, Australian, and American law enforcement agencies. Given the demonstrated ability to combat cybercrime, even transnational cybercrime, the lack of policing in the hack-for-hire sector appears to be a question of political will. If India fully realises the threat that the hack-for-hire sector poses for its international partnerships, it has the cybersecurity resources to resolve this issue and reinforce its position on the world stage.
International reactions
While major partners have yet to express concern for India’s domestic hack-for-hire players, there are signs of tension. When a reporter with the New Yorker reached out, one US Department of Justice (DOJ) official declined to comment but forwarded the reporter a section from the DOJ’s 2022 Comprehensive Cyber Review titled “Foreign Governments Providing Safe Haven to Hackers”. This section includes footnotes that indicate that it mainly refers to countries like China and Russia, which are known to sponsor political cyberattacks, so its use in this context may indicate that the US views the continued existence of hack-for-hire groups in India to be more than just a government oversight. If not reined in, the hacking industry could impact India’s cybersecurity strategy, and therefore its national security strategy as a whole.
The Indian government has greatly improved its policing of cybercrimes in recent years, including combating online financial fraud through Operation Chakra, an initiative which aligns Indian, Australian, and American law enforcement agencies.
Fostering cohesion
The long-term benefits of strengthening global cybersecurity partnerships far outweigh any benefits gained from allowing the domestic hack-for-hire industry to go unchecked. In the wake of cyberattacks linked to China and Russia, the Indian government should turn to allies to combat the rising cybersecurity threat. Failing to address its own hotbed of domestic cybercrime threatens its relationships with other countries, especially given that these groups target foreign nationals. Efforts like Operation Chakra provide a collaborative approach that will help India combat domestic cybercrime. India can build on these existing initiatives with Australia and the US that have previously been limited to financial fraud and take advantage of this cooperation to bring hack-for-hire firms to justice. Such efforts would encourage future relationships by showing global partners that India is serious about cybersecurity, both domestically and abroad.
Jenna Stephenson is an intern with the Geoeconomics Programme at the Observer Research Foundation
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.