For at least a decade, a shadowy hacker group has been targeting people throughout India, sometimes using its digital powers to plant fabricated evidence of criminal activity on their devices. That phony evidence has, in turn, often provided a pretext for the victims’ arrest.
A report published this week by cybersecurity firm Sentinel One reveals additional details about the group, illuminating the way in which its digital dirty tricks have been used to surveil and target “human rights activists, human rights defenders, academics, and lawyers” throughout India.
The group, which researchers have dubbed “ModifiedElephant,” is largely preoccupied with spying, but sometimes it intervenes to apparently frame its targets for crimes. Researchers write:
The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ — files that incriminate the target in specific crimes — prior to conveniently coordinated arrests.
The most prominent case involving Elephant centres around Maoist activist Rona Wilson and a group of his associates who, in 2018, were arrested by India security services and accused of plotting to overthrow the government. Evidence for the supposed plot — including a word document detailing plans to assassinate the nation’s prime minister, Narendra Modi — was found on the Wilson’s laptop. However, later forensic analysis of the device showed that the documents were actually fake and had been artificially planted using malware. According to Sentinel researchers, it was Elephant that put them there.
This case, which gained greater exposure after being covered by the Washington Post, was blown open after the aforementioned laptop was analysed by a digital forensics firm, Boston-based Arsenal Consulting. Arsenal ultimately concluded that Wilson and all of his so-called co-conspirators, as well as many other activists, had been targeted with digital manipulation. In a report, the company explained how extensive the intrusion was:
Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well.
How did the hackers get the documents onto the computer in the first place?
According to the Sentinel One’s report, Elephant uses common hacking tools and techniques to gain a foothold in victims’ computers. Phishing emails, typically tailored to the victim’s interests, are loaded with malicious documents that contain commercially available remote access tools (RATs) — easy-to-use programs available on the dark web that can hijack computers. Specifically, Elephant has been shown to use DarkComet and Netwire, two well-known brands. Once a victim is successfully phished and the hackers’ malware is downloaded, the RAT allows Elephant comprehensive control over the victim’s device; they can quietly conduct surveillance or, as in Wilson’s case, deploy phony, incriminating documents, researchers write.
It’s all pretty nefarious. As with anything in the hacker world, it’s difficult to know definitively who “Elephant” actually is. However, obvious contextual evidence suggests that the group has the Indian government’s “interests” in mind, researchers write:
We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.
Unfortunately, ModifiedElephant isn’t the only group out there that has been doing this sort of thing. An entirely different group is believed to have conducted similar operations against Baris Pehlivan, a journalist in Turkey who was incarcerated for 19 months in 2016 after the Turkish government accused him of terrorism. Digital forensics later revealed that the documents used to justify Pehlivan’s charges had been artificially implanted, much like those on Wilson’s laptop.
All in all, it’s pretty disturbing stuff. “Many questions about this threat actor and their operations remain,” Sentinel One researchers write, of Elephant. “However, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them.”