Since 2012, a group of cybercriminals has been planting incriminating evidence on the devices of human rights activistslawyers and journalists from India in order to cause their arrest by the authorities, as has now been discovered and revealed by the American cybersecurity company SentinelOne.
According to one of its researchers, Tom Hegel, on your corporate blogits objective
“It is long-term surveillance that sometimes ends with the release of ‘evidence’ (files incriminating the target for certain crimes) just before properly coordinated arrests are made.”
The company has baptized the aforementioned group with the name of ‘ModifiedElephant’ and attributes to it “a decade of persistent malicious activity” not directed indiscriminately or massively, but directed against specific individuals.
Apparently, ModifiedElephant has been able to operate for years without attracting the attention of the cybersecurity community due to the limited scope of its operations, its exclusively regional approach and to use of “relatively unsophisticated” tools.
The keylogging tool used was a small piece of software developed in Visual Basic in 2012, available on multiple online ‘warez’ forums.
Another SentinelOne researcher, Juan Andrés Guerrero-Saade (Threat Researcher at SentinelOne and Adjunct Professor at Johns Hopkins Univ.) states on Twitter that if something stands out from the operations of ModifiedElephant it is
“How mundane the mechanics of this operation are. […] There is nothing technically impressive about this threat actorbut we still marvel at his audacity.”
They were not super hackers, but they have been involved in highly controversial legal proceedings
This class of tools included phishing techniques used to sneak Trojans (such as NetWire and DarkComet) into them via email. They started by attaching misleading files to their emails (they used files with double extension, like filename.pdf.exe), but then around 2015 they started using RAR files and Office documents (ppt, doc, docx) with malicious macros.
As of 2020, there is a change in strategy: spreading malware through ** large compressed files ** (about 300 MB), to bypass antimalware scans of cloud platforms.
Once their targets were infected, members of ModifiedElephant could open and use remote access to your systems, or monitor them using keyloggers (programs that remain in memory recording keystrokes).
A year ago, an American digital forensic firm, Arsenal Consulting, analyzed the involvement of activist Rona Wilson —charged under the Illegal Activities Prevention Act— in the controversial ‘Bhima Koregaon’ case, concluding that an ‘actor identified’ he had compromised his laptop 22 months earlier and taken advantage of the access it gave him to monitor it and ‘plant’ incriminating documents on it.
“Arsenal has connected that same attacker to a significant malware infrastructure that has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer, but also to attack his co-defendants in the Bhima Koregaon case already. defendants in other high-profile Indian cases”.
This discovery was the origin of the SentinelOne investigation which has now resulted in the discovery that this surveillance/manipulation plot had been active for several years before Arsenal Consulting suspected.
They have not been able to find out if ModifiedElephant is a mere private cybercriminal group or if it is sponsored by any state actorbut they have detected that many of their victims had also been simultaneously victims of the Pegasus espionage plot.