In an attempt to plant “incriminating digital evidence,” a hitherto unknown hacking gang has been linked to targeted attacks across India against human rights activists, human rights defenders, academics, and attorneys.
SentinelOne, a cybersecurity firm, ascribed the breaches to a group known as “ModifiedElephant,” an elusive threat actor that has been active since at least 2012 and whose activities are closely aligned with Indian state interests.
“ModifiedElephant uses commercially accessible remote access trojans (RATs) and may have ties to the commercial spying industry,” according to the researchers. “To transmit malware like NetWire, DarkComet, and simple keyloggers, the threat actor leverages spear-phishing using infected documents.”
ModifiedElephant’s main purpose is to make long-term surveillance of targeted individuals easier, eventually leading to the distribution of “evidence” on the victims’ compromised systems in order to frame and imprison susceptible opponents.
Individuals linked to the 2018 Bhima Koregaon incident in the Indian state of Maharashtra are among the notable targets, according to SentinelOne researchers Tom Hegel and Juan Andres Guerrero-Saade.
The attack chains involve infecting targets — some of whom are infected multiple times in a single day — with spear-phishing emails containing malicious Microsoft Office document attachments or links to externally hosted files that are weaponized with malware capable of taking control of victim machines.
“The phishing emails use a variety of techniques to appear legitimate,” the researchers stated. “This includes resending their malware multiple times using new emails or lure documents, or sending fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.”
An undisclosed commodity trojan targeting Android that allows attackers to intercept and handle SMS and call data, wipe or unlock the device, conduct network requests, and remotely administrate affected devices is also delivered via phishing emails. It’s described as a “excellent low-cost mobile surveillance toolbox” by SentinelOne.
“Due to their narrow scope of operations, the humdrum nature of their tools, and their regionally focused targeting, this actor has operated for years, eluding study attention and identification,” the researchers said.