Feb 11, 2022Ravie Lakshmanan

A beforehand unknown hacking group has been linked to focused assaults in opposition to human rights activists, human rights defenders, teachers, and legal professionals throughout India in an try to plant “incriminating digital proof.”

Cybersecurity agency SentinelOne attributed the intrusions to a gaggle it tracks as “ModifiedElephant,” an elusive menace actor that is been operational since no less than 2012, whose exercise aligns sharply with Indian state pursuits.

“ModifiedElephant operates via using commercially out there distant entry trojans (RATs) and has potential ties to the business surveillance business,” the researchers mentioned. “The menace actor makes use of spear-phishing with malicious paperwork to ship malware, similar to NetWire, DarkComet, and easy keyloggers.”

The first purpose of ModifiedElephant is to facilitate long-term surveillance of focused people, finally resulting in the supply of “proof” on the victims’ compromised methods with the purpose of framing and incarcerating susceptible opponents.

Notable targets embrace people related to the 2018 Bhima Koregaon violence within the Indian state of Maharashtra, SentinelOne researchers Tom Hegel and Juan Andres Guerrero-Saade mentioned in a report.

The assault chains contain infecting the targets — a few of them a number of occasions in a single day — utilizing spear-phishing emails themed round matters associated to activism, local weather change, and politics, and containing malicious Microsoft Workplace doc attachments or hyperlinks to information hosted externally which are weaponized with malware able to taking management of sufferer machines.

“The phishing emails take many approaches to realize the looks of legitimacy,” the researchers mentioned. “This contains pretend physique content material with a forwarding historical past containing lengthy lists of recipients, unique e mail recipient lists with many seemingly pretend accounts, or just resending their malware a number of occasions utilizing new emails or lure paperwork.”

Additionally distributed utilizing phishing emails is an unidentified commodity trojan concentrating on Android that permits the attackers to intercept and handle SMS and name knowledge, wipe or unlock the system, carry out community requests, and remotely administer the contaminated gadgets. SentinelOne characterised it as an “excellent low-cost cellular surveillance toolkit.”

“This actor has operated for years, evading analysis consideration and detection because of their restricted scope of operations, the mundane nature of their instruments, and their regionally- particular concentrating on,” the researchers mentioned.