Cybercriminals hijack civil rights activists’ devices and plant “incriminating evidence” in covert cyberattacks, researchers warn.
According to SentinelLabs, an Advanced Persistent Threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists and lawyers across India.
The APT is believed to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continuously and consistently targeted specific, high-level people of interest.
However, rather than focusing on data theft, APT’s activities are far more sinister: once inside a victim’s machine, the group performs surveillance and can plant incriminating files used later to prosecute individuals.
“ModifiedElephant’s goal is long-term surveillance that sometimes ends with the handing over of ‘evidence’ – records that incriminate the target in specific crimes – prior to suitably coordinated arrests,” the researchers explain.
SentinelLabs has identified “hundreds of groups and individuals” targeted by the APT.
ModifiedElephant starts an infection chain with spear-phishing emails. These emails contain documents loaded with malware, including NetWire and DarkComet Remote Access Trojans (RATs), as well as keyloggers and an Android Trojan.
SentinelLabs has linked previously unattributable attacks and says that while ModifiedElephant has operated under the radar for so long, there is an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial and politically charged cases.” .
While the malware used by threat actors is considered “mundane” and not particularly sophisticated, a number of APT victims have also been targeted by NSO Group’s Pegasus surveillance software, which is explosively investigated by Amnesty International, Forbidden Stories and various media. points of sale in 2021.
Although the attribution is not concrete, the team says that ModifiedElephant’s activity “strongly aligns with the interests of the Indian state”.
“Many questions remain about this threat actor and its operations; however, one thing is clear: critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” SentinelLabs warned. “A threat actor willing to frame and incarcerate vulnerable opponents is a hugely underappreciated dimension of the cyber threat landscape that raises uncomfortable questions about the integrity of devices presented as evidence.”
Previous and related coverage
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0