American cybersecurity company SentinelOne has identified a malicious hacking group that targeted critics of Modi’s government, including Rona Wilson. The digital security startup has found that ModifiedElephant, a hacker group, has targeted human rights activists, academics, and lawyers.
It is likely connected to another older group that has typically targeted India’s adversaries like China and Pakistan with cyber espionage.
California-based Sentinel Labs report claims that the hacker group carried out “long-term surveillance that at times concludes with the delivery of “evidence” — files that incriminate the target in specific crimes — “prior to conveniently coordinated arrests”.
ModifiedElephant
Sentinel Labs have found the digital footprints of ModifiedElephant going back to at least 2012. They are involved in the targeting of “hundreds of individuals and groups”, including Rona Wilson, who has been arrested in the Bhima-Koregaon violence case.
The incident is referred to as ‘one of the most serious cases of evidence tampering’ that the firm had ever seen, states the report.
ModifiedElephant operators have been infecting their targets using spearphishing emails with malicious file attachments over the last decade, with their techniques getting more sophisticated over time.
Spearphishing refers to the practice of sending emails to targets that look like they are coming from a trusted source to either reveal important information or install different kinds of malware on their computer systems.
How ModifiedElephant hacks targets?
ModifiedElephant typically weaponises malicious Microsoft Office files to deliver malware to their targets. According to SentinelOne, the specific method and payload included in the malicious files have changed over the years:
- In mid-2013, the actor(s) used emails containing executable files with fake double extensions (filename.pdf.exe)
- After 2015, the actor(s) moved on to using less obvious files with publicly available exploits, including those with .doc, .pps, .docx and .rar extensions. These attempts involved using legitimate documents in these formats to capture user attention while the malware executes
- In the 2019 spearphishing attacks, operators began emailing links to files hosted externally.
NetWire and DarkComet, two publicly-available remote access trojans (RATs), were the primary malware families deployed by ModifiedElephant, according to SentinelOne.
NetWire is a RAT focused on password stealing, keylogging and remote control capabilities. It has been in use since 2012 and was typically distributed through social engineering campaigns. Its distribution as a second payload using Microsoft Word documents is a fairly recent phenomenon.
DarkComet is another RAT that can take control of a user’s system using a convenient graphical user interface. It was initially developed in 2008 by French infosec programmer Jean-Pierre Lesueur and can be used to spy on victims using screen captures, key-logging, or password stealing.
ModifiedElephant also sent android malware to its victims along with NetWire and DarkComet. This malware is an unidentified commodity trojan delivered as an APK file. The usage indicated that ModifiedElephant was attempting to get full coverage on the target across devices.
SideWinder
“Notably, a separate Indian-nexus threat actor, SideWinder, is placed alongside ModifiedElephant in this graph as they were observed targeting the same individuals,” said the Sentinel Labs analysis.
SideWinder’s involvement in the targeting Indian nationals is particularly unusual since the group has typically been seen hacking those in adversarial nations like China and Pakistan.
SideWinder’s involvement was based on the footprint they left behind on Wilson’s computer and the timing of each time they changed their technical infrastructure, which matched with that of ModifiedElephant.
It is not unusual for offensive cyber groups – technically called advanced persistent threat (APT) actors – to be identified via codenames after analysts pick up their infrastructure and the digital footprints of their methods.
Identification of individuals or agencies is rare, if not nearly unprecedented.
In the case of ModifiedElephant, the infrastructure related to clusters of servers with which the victims’ devices communicated after infection, the email addresses through which they sent our infected documents that would deliver the malware, and the malware itself.
The malware used were customised versions of publicly available code or those that could be brought easily from the Dark Web, the Sentinel One experts said. In other words, these were not sophisticated.
The report adds that the identity of the individuals or agencies involved in the group is not known.
“There’s something to be said about how mundane the mechanisms of this operation are. The malware is either custom garbage or commodity garbage. There’s nothing *technically* impressive about this threat actor, instead, we marvel at their audacity,” said Juan Andres Guerrero-Saade, one of the analysts who prepared the report, in a tweet on Thursday.
Rona Wilson’s legal team has moved court alleging that the evidence that the prosecution has presented against him was planted in his computer after it was hacked, following a report last year by another American cybersecurity company Arsenal Consulting.
The company had analysed a copy of Wilson’s hard drive and found traces of malware that Sentinel One identified as one of the traits of ModifiedElephant.
