Hackers Planted Fake Digital Evidence on Devices of Indian Activists and Lawyers

A previously unknown hacking group involved in targeted attacks against human rights activists, guard human rights, academics and lawyers around India in an attempt to produce “incriminating digital evidence”.

Cybersecurity firm SentinelOne attributes the intrusions to a group it monitors as “ModifiedElephant“an elusive threat actor that has been active since at least 2012, his activities very much in line with the interests of the Indian state.

“ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry,” the researchers said. “Threats use online phishing with malicious documents to send malware, such as NetWire, DarkComet, and simple keyloggers.”

The primary goal of ModifiedElephant is to facilitate long-term surveillance of targeted individuals, which ultimately leads to the delivery of “proof” on the victim’s compromised system with the goal of framing and detain vulnerable opponents.

Notable targets include individuals involved in the Bhima Koregaon violence in 2018 in the Indian state of Maharashtra, said researchers Tom Hegel and Juan Andres Guerrero-Saade of SentinelOne.

The attack chains involved infecting targets — some of them multiple times a day — using phishing emails themed around climate change-related themes. and political and contains malicious Microsoft Office document attachments or links to files hosted externally. weaponized with malware capable of taking control of the victim’s machine.

Phishing emails have many approaches to getting the look of legitimacy, the researchers said. “This includes fake body content with a forwarding history containing a long list of recipients, an initial email recipient list with multiple seemingly fake accounts, or simply resending your malware. them again and again using new emails or engaging materials.”

Also distributed using phishing emails is an unknown cargo trojan that targets Android, allowing attackers to intercept and manage SMS and call data, erase or unlock devices. , perform network requests and remotely manage infected devices. SentinelOne describes it as an “ideal low-cost mobile monitoring toolkit.”

This person has been active for many years, evading the attention and detection of research due to their limited range of activities, the mundane nature of their tools and their targeting, the researchers said. specific area”.

.