US firm identifies hacking tool used to plant fabricated digital evidence on devices of activists, journalists in India
India Today
A new report by US-based cyber security platform SentinelOne has identified a hacking tool called ModifiedElephant that has been used to plant fabricated digital evidence on the target’s devices.
A new report by US-based cyber security platform SentinelOne has identified a hacking tool that has been used to plant fabricated digital evidence on the target’s devices.
Victims of this attack have been identified as India-based human rights activists, journalists, academics, and lawyers, including Rona Wilson—an activist accused in the Bhima Koregaon case.
Co-authored by cyber security experts Tom Hegel and Juan Andres Guerrero-Saade, the report implies that the network has been operational since “at least 2012, and has repeatedly targeted specific individuals” in India. Codenamed ‘ModifiedElephant’ by the researchers, the malware does not match the technical sophistication of NSO group’s Pegasus spyware. However, its ability to plant fabricated evidence on victims’ phones has far-reaching consequences. “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases”, researchers observed in a post.
READ | Hacker group that targets Indian military, government found using new Android trojan to hack cameras and mic
The operators behind these attacks relied on malicious file attachments that looked similar to common Microsoft Office document files. However, those files were weaponised to deliver malware that kept changing over the years and across different targets. The phishing emails were designed to lure the targets and were “themed around topics relevant to the target”.
Earlier, similar tactics were observed in Turkey, where incriminating evidence on the devices of journalists was planted to justify their arrests by the Turkish National Police. The research shows that the attackers used publically available malware to achieve their objectives.
“Heavy reliance on commercial and rather uninteresting malware like NetWire and DarkComet RATs. They also attempted to deliver keyloggers and Android trojans. Early efforts around 2012 included the keyloggers and DarkComet RATs”, Tom Hegel, one of the authors of the research, posted on Twitter.
