Hacking group ModifiedElephant has been accused by cybersecurity firm SentinelOne for planting incriminating evidences in devices of Indian activists.
Large number of human rights activists, lawyers, academics, defender and journalists were arrested for participating in malicious activities.
The report says that the hacking group targeted specific groups, especially those arrested in the Bhima Koregaon case of 2018.
The incident has been termed as ‘one of the most serious cases of evidence tampering’ that the firm had ever encountered.
ModifiedElephant operators used spearphishing emails containing malicious files to infect their targets. The technique got sophisticated over time.
These emails look like they are coming from a trusted source. They get installed in device to either reveal important information or install different kinds of malware.
The group employs Microsoft office files to deliver the malware. These include executable files with fake double extensions (filename.pdf.exe).
The group made use of legitimate documents to capture user attention while the malware executes in the background.
Actions on target devices
The malware will allow remote access to and unrestricted control of victims’ devices. NetWire and DarkComet were the primary malware families deployed by ModifiedElephant.
An android malware was also sent to target in form of APK file. The group was trying to get full coverage on the target across devices.
NetWire has password stealing, keylogging and remote control capabilities. It has been in use since 2012 and distributed through social engineering campaigns.
It has the ability to take control of a user’s system using a convenient graphical user interface. It is used for screen captures, key-logging, or password stealing.
Identity of ModifiedElephant
Cybersecurity groups are trying to ascertain identity of the group. Some consider it to be rogue free-lance hacking group while others think it could be a state-sponsored actor.
The group acts with multiple actors to target the same victims. They may have relations with other hacking groups.
Avoid downloading files or softwares from unknown sources. Use encryption to send files over emails.
Employ multi-factor authentication (MFA) to protect against illegal access to email and social media accounts.