A cybercrime group frames activists by planting fake evidence on their devices

Cybersecurity is one of the biggest concerns of the modern internet age. 

A team of researchers has unearthed crucial information about the shadowy hacker group dubbed ModifiedElephant — which has targeted people throughout India for nearly a decade, according to a report posted on SentinalLabs. Formed in 2012, the hacker group is infamous for spying on people, and even framing the innocent by planting fabricated evidence on their devices.

And that could seriously disrupt lives and livelihoods.

The group reaches its objectives using spear-phishing emails with malicious file attachments. "We have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns", read the report. "Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted."

How do the hackers get access to the devices?

The group infects target devices using phishing emails, which are designed to optimize the user's vulnerability to suit the interests of the group -- and contain malicious Microsoft Office document files loaded with commercially available remote access tools (RAT).

The group also continually changes its tactics to avoid getting caught. By mid-2013, the "threat actor" used fake double extensions, like filename.pdf.exe. But, after 2015, it switched to commonly used extensions, like .doc, .pdf, .rar, and others. In 2019, the group was also witnessed providing links to files for the target to download manually.

As first reported by Amnesty, the group used RAR archives that can expand up to 300MB, to bypass detection.

Are they involved in the Rona Wilson case?

In April 2018, the alleged "Maoist activist" Rona Wilson was arrested with the charge of plotting to overthrow the government. And now, Sentinel Lab claims it was ModifiedElephant, in collaboration with SideWinder, that targeted Rona Wilson by planting the evidence in his device. It was remarked in the report that the relationship between ModifiedElephant and SideWinder is ambiguous, but the timing and targets of their phishing emails overlap.

"We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases," added the report.

Many malicious actors are lurking in cyberspace, but by studying who they target and how, we can begin to build a viable means of defending ourselves. But, the report warns: "Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them."

Silencing dissent - It's a sad fact of the modern world that despite how much progress we feel we've made in governance, equality, and fairness, there are entrenched administrations who do not place value on basic democratic tenets. And in the new age of hacktivists, it should come as no surprise that for every push against authoritarian power structures by independent groups, massive undertakings are executing retributive attacks, to subvert dissent before it gains a platform. So if you want to change the world, it's important to be aware that every tactic you might use, might also be used by others, to keep it the same.