The attacks have the objective of “planting incriminating digital evidence on victims’ machines,” says the report.
ModifiedElephant, Modified Truth
According to SentinelLabs, ModifiedElephant has been operational since at least 2012. The advanced persistent threat (APT) was unearthed as a result of a forensic law enforcement investigation into long-standing racial and political tensions in India. When raids and arrests were made by Maharashtra police in India due to violence linked to the banned Naxalite-Maoist Communist party in 2018, forensic teams found incriminating files on the computer systems of the defendants, including “plans for an alleged assassination attempt against Prime Minister Modi.” The incriminating files, indicating evidence of “terrorism,” were found to be purposefully planted by politically motivated ModifiedElephant “prior to conveniently coordinated arrests.” The group has been evading research attention and detection “due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting.” In addition, evidence now suggests ModifiedElephant has surveilled and targeted hundreds of groups and individuals via phishing campaigns.
How ModifiedElephant Operates
It looks like “unsophisticated and downright mundane” spearphishing has been confirmed to be the attack vector of choice for ModifiedElephant, which in this specific case translates to various types of infected Microsoft Office document files. The attached files also leveraged known exploits CVE-2015-1641, CVE-2014-1761, CVE-2013-3906, and CVE-2012-0158, which are already stored in Common Vulnerabilities and Exposures databases.
Use of publicly available RATs and infected APK files
The group successfully deployed publicly available Netwire and DarkComet RATs used in similar campaigns, resulting in “remote access and unrestricted control of victim machines.” Furthermore, primitive incubator keyloggers and trojans disguised as APK files were also used.
A variety of phishing techniques
In the ten years spanning from 2012 till now, ModifiedElephant’s techniques ranged from fake double attachments to a variety of legitimate file extensions, large RAR files, and links to files that would attract the attention of human rights activists, academics, lawyers, and others from this milieu.
Persistent and deceptive trickery
ModifiedElephant utilized free email services such as Gmail and Yahoo for their operations, even including deceptive trickery like fake email body content and fraudulent forward history. Emails contained “long lists of recipients, original email recipient lists” and were distributed with extreme persistence such as being repeatedly sent to victims multiple times daily.
Ties to Pegasus Spyware and Other Operations
Whether ModifiedElephant is a part of an active umbrella organization cannot be fully ascertained. However, the group may have ties to other regional threat actors. Evidence to suggest this is that victims targeted by ModifiedElephant have also been infected by mobile surveillance spyware Pegasus in 2019. Other phishing attempts by a potential sidekick to ModifiedElephant known as Sidewinder were also detected. Analysis of ModifiedElephant’s phishing emails also “share infrastructure overlap” with a global surveillance operation that backs the interests of Indian national security and unrelated global industrial espionage, known as Operation Hangover.
ModifiedElephant is State-backed
ModifiedElephant’s background, attack timeline, and objectives “aligns sharply with Indian state interests” translating into “an observable correlation” with “the arrests of individuals in controversial, politically-charged cases.” For now, information indicates that the threat group is still operational. “Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” wrote SentinelLabs. “A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence.”