According to SentinelOne, a cyber security platform based in the US, hackers have been using a tool to plant fabricated digital evidence on target devices. Among the victims of this attack are human rights activists, journalists, academics, and lawyers in India, including Rona Wilson, an activist charged in the Bhima Koregaon case.
According to the report, co-authored by cyber security experts Tom Hegel and Juan Andres Guerrero-Saade, the network has been active since at least 2012, and has repeatedly targeted individuals in India’. According to researchers, the malware, dubbed ‘ModifiedElephant’, is not as sophisticated as NSO group’s Pegasus spyware. The capability of installing fabricated evidence on victims’ phones, however, has far-reaching consequences. ‘We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases’, researchers observed in a post.
Attackers used malicious attachments that looked like Microsoft Office documents to carry out these attacks. As a result, those files were weaponized and used to deliver malware that kept changing over time and across different targets. Phishing emails were themed around topics relevant to the intended target and were designed to lure the recipients.
Similar tactics were previously employed in Turkey, where incriminating evidence was ‘planted’ on the devices of journalists to justify their arrests by the Turkish National Police. According to the research, the attackers used publicly available malware to accomplish their goals. ‘Heavy reliance on commercially produced malwareire and DarkComet RATs. They also attempted to deliver keyloggers and Android trojans’. Early efforts, around 2012, included keyloggers and DarkComet RATs, Tom Hegel, one of the authors of the research, posted on Twitter.
Nonetheless, he points out that the attackers may have gained access to a new set of resources around 2014/2015, as ‘the quality and persistence of their campaigns increased’. Researchers began their investigation based on the findings of an earlier investigation by another US-based digital forensics consultant, Arsenal Consulting.
Several other types of spy software have been used against the individuals targeted by this attack, including Pegasus. The research has noted similarities between the interests of Indian law enforcement agencies and those of the attackers, but it has not specifically identified any one group. According to the researchers, they have significant evidence on attackers’ activities over the past decade as well as the targets they have targeted.
‘Our profile of ModifiedElephant has taken a look at a small subset of the total list of potential targets, the attackers’ techniques, and a rare glimpse into their objectives’, the security experts noted. SentinelOne is a cybersecurity company based in California founded in 2013.