A previously unknown hacking organization has been involved in targeted attacks on human rights activists and human rights defenders across India. This was done to create “incriminating” digital evidence. “
Cybersecurity firm SentinelOne attributed the intrusions to a group it tracks as “ModifiedElephant,” an elusive threat actor that’s been operational since at least 2012, whose activity aligns sharply with Indian state interests.
“ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry,” the researchers said. “The threat actor uses spear-phishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers. “
The primary goal of ModifiedElephant is to facilitate long-term surveillance of targeted individuals, ultimately leading to the delivery of “evidence” on the victims’ compromised systems with the goal of framing and incarcerating vulnerable opponents.
Notable targets include individuals associated with the 2018 Bhima Koregaon violence in the Indian state of Maharashtra, SentinelOne researchers Tom Hegel and Juan Andres Guerrero-Saade said in a report.
The attack chains involve infecting the targets — some of them multiple times in a single day — using spear-phishing emails themed around topics related to activism, climate change, and politics, and containing malicious Microsoft Office document attachments or links to files hosted externally that are weaponized with malware capable of taking control of victim machines.
“The phishing emails take many approaches to gain the appearance of legitimacy,” the researchers said. “This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents. “
This unidentified trojan, which is distributed via phishing email, allows attackers to remotely manage infected Android devices, such as stealing and managing SMS, call data and wipe them out. SentinelOne described it as an ideal low-cost mobile surveillance device. “
” This actor operated for many years and evaded research attention and detection because of their limited scope, mundane nature of tools and regionally-specific targeting,” researchers stated.