The IT security researchers at SentinelLabs have revealed details of an advanced persistent threat (APT) group that’s been hijacking the devices of lawyers, educationists, defenders, journalists, and civil rights activists since 2012.
According to SentinelLabs’ report, the group, dubbed ModifiedElephant, plants ‘incriminating evidence’ on its targets’ devices.
According to researchers, the APT group that evaded detection for a decade has been involved in widespread cyberattacks in India, and the group has persistently targeted high-profile personalities.
Interestingly, the group doesn’t focus on data theft but surveillance. After invading its victim’s device, ModifiedElephant implants files that could be used to prosecute the individual, apart from spying on their activities.
Researchers at SentinelLabs believe that the group’s primary objective is to carry out “long-term surveillance” that usually concludes with the “delivery of evidence.’ This evidence incriminates the victim in specific crimes.
Researchers wrote that there’s an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”
“After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case,” SentinelLabs wrote in its report.
SentinelLabs claims that ModifiedElephant APT has targeted hundreds of individuals and groups. Their attack tactics involve spearphishing emails using popular email services providers like Yahoo and Gmail to start the infection chain.
“The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service,” researchers noted.
The emails contain documents embedded with DarkComet or NetWire RATs, keyloggers, and an unidentified Android Trojan.
Researchers claim that the malware ModifiedElephant uses is mundane and not as sophisticated as expected, but some of its victims have been targeted with NSO Group’s controversial Pegasus spyware.
One such victim was Rona Wilson, whose phone was infected with the Pegasus spyware, which the government of India purchased in its 2 billion-dollar defense deal with Israel back in 2017. The report also revealed that the activities of the APT group are sharply in line with “Indian state interests.”
According to SentinelLabs, a second entity is rigging the phones of those involved in the Koregaon case. This entity was identified to be SideWinder. Between Feb 2013 and Jan 2014, both SideWinder and ModifiedElephant targeted Rona Wilson.
The victim receives phishing emails from SideWinder, and around the same timeframe, ModifiedElephant also invaded Wilson’s device. Researchers suspect that a single entity hired both the hacker groups or these groups could be connected.
“The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.”
Gionee subsidiary implanted malware in over 20 million phones
Hezbollah linked hackers hit companies in global malware attack
$120 charging cable O.MG remotely steals data from Apple devices
“Operation Poisoned News” infecting iPhones with LightSpy spyware
NSO zero-click iMessage exploit hacks iPhone without need to click links
Your email address will not be published.
Super secure VPN
Minimal data logging
Visit IPVanish ‣
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.