For the past decade, unidentified miscreants have been planting incriminating evidence on the devices of human-rights advocates, lawyers, and academics in India seemingly to get them arrested.
That’s according to SentinelOne, which has named the crew ModifiedElephant and described the group’s techniques and targets since 2012 in a report published on Wednesday.
“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes – prior to conveniently coordinated arrests,” said Tom Hegel, threat researcher at SentinelOne, in a blog post.
Hegel said the group has operated for years without attracting the attention of the cybersecurity community because of its limited scope of operations, its regionally-specific targeting, and its relatively unsophisticated tools.
ModifiedElephant prefers phishing with malicious Microsoft Office attachments to attack targets, and infect them with Windows malware.
In 2013, its messages relied on executable file attachments with deceptive double extensions in the file name (eg
filename.pdf.exe). After 2015, the group used
.rar, and password protected
.rarfiles. In 2019, its attack vector involved links to hosted malicious files, and the group is also said to have employed large .rar archives to avoid detection.
The gang was also observed throwing Android malware at victims.
“There’s something to be said about how mundane the mechanisms of this operation are,” said Juan Andrés Guerrero-Saade, threat researcher at SentinelOne and adjunct professor at Johns Hopkins SAIS, via Twitter. “The malware is either custom garbage or commodity garbage. There’s nothing technically impressive about this threat actor, instead we marvel at their audacity.”
SentinelOne does not explicitly state that ModifiedElephant acts on behalf of the Indian government but notes how the group’s activities are consistent with the government’s interests.
“We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases,” wrote Hegel.
According to the report, ModifiedElephant’s web infrastructure overlaps with Operation Hangover, a surveillance effort dating back to 2013 against targets of interest to Indian national security. The security firm also said that Wilson had been targeted by a second threat group, known as SideWinder [PDF], which has attacked government, military, and private sector organizations across Asia.
Hegel observes that SentinelOne last year reported on a threat actor operating in and around Turkey, dubbed EGoManiac, that planted incriminating evidence on the devices of journalists to support arrests made by the Turkish National Police.