Entity with spying links behind Indian cyber ops: Report
The experts at California-based Sentinel Labs have named the group ModifiedElephant and found its digital footprints going back to at least 2012 and in the targeting of “hundreds of individuals and groups”, including Rona Wilson, who has been arrested in the Bhima-Koregaon violence case.
An American cybersecurity company has identified a malicious hacking group that it said has targeted human rights activists, academics, and lawyers, and is likely connected to another older group that has typically targeted India’s adversaries like China and Pakistan with cyber espionage.
The experts at California-based Sentinel Labs have named the group ModifiedElephant and found its digital footprints going back to at least 2012 and in the targeting of “hundreds of individuals and groups”, including Rona Wilson, who has been arrested in the Bhima-Koregaon violence case.
The group, the Sentinel Labs report said, carried out “long-term surveillance that at times concludes with the delivery of “evidence” — files that incriminate the target in specific crimes — “prior to conveniently coordinated arrests”.
The report adds that the identity of the individuals or agencies involved in the group are not known.
Independent, India-based cybersecurity experts who reviewed the report explained the evidence presented by Sentinel Labs as akin to uncovering shared techniques and infrastructure.
The latter is particularly robust as proof since infrastructure – in this case the internet address (domain) that the attackers’ malware (the programmes that infected the targets) called back to – can only be used by those who have the credentials for it.
This was the basis for the identification of ModifiedElephant.
“In this case, they were using the same domain -- even though the malware may have been different. At one point, they used the same domain in 2013 and all the way till 2016. In the span of three years, it’s the same actor,” said Anand Venkatanarayanan, cybersecurity strategic adviser to DeepStrat.
He added that the actors using the mobile spyware Pegasus had similar overlaps, including in terms of targets – something the Sentinel Labs report, too, noted. Venkatnarayanan reviewed several of the devices targeted by Pegasus and recently deposed before the Supreme Court-appointed committee investigating the spyware’s alleged use in India.
The second aspect of the report found that ModifiedElephant may be related to another group known more widely in the cyber threat intelligence domain as SideWinder (also often referred to as Patchwork by other cybersecurity experts).
“Notably, a separate Indian-nexus threat actor, SideWinder, is placed alongside ModifiedElephant in this graph as they were observed targeting the same individuals,” said the Sentinel Labs analysis.
SideWinder’s involvement in targeting of Indian nationals is particularly unusual since the group has typically been seen hacking those in adversarial nations like China and Pakistan.
SideWinder’s involvement was based on the footprint they left behind on Wilson’s computer and the timing of each time they changed their technical infrastructure, which matched with that of ModifiedElephant.
Venkatnarayanan said this poses three major issues. “First, simply the targeting of an individual to plant incriminating evidence is illegal.
“Second, it is a security doctrine mistake. If your domestic cyber surveillance and external espionage and spying operations are linked, you risk jeopardising both in the event, say, an adversary were to launch counterespionage attacks or if a foreign country were to sanction individuals linked to these operations.
“Third, it sends a bad signal to your enemies about your technical and strategic abilities.”
The identity of those behind SideWinder is not yet known.
It is not unusual for offensive cyber groups – technically called advanced persistent threat (APT) actors – to be identified via codenames after analysts pick up their infrastructure and the digital footprints of their methods.
Identification of individuals or agencies is rare, if not nearly unprecedented. In April 2021, US President Joe Biden for the first time identified the Russian Foreign Intelligence Services as being behind APT 29, or Cozy Bear, for perpetrating the SolarWinds cyberattack. The attack is believed to have compromised computers at the heart of the American government.
In the case of ModifiedElephant, the infrastructure related to clusters of servers with which the victims’ devices communicated after infection, the email addresses through which they sent our infected documents that would deliver the malware, and the malware itself.
The malware used were customised versions of publicly available code or those that could be brought easily from the Dark Web, the Sentinel One experts said. In other words, these were not sophisticated.
“There’s something to be said about how mundane the mechanisms of this operation are. The malware is either custom garbage or commodity garbage. There’s nothing *technically* impressive about this threat actor, instead we marvel at their audacity,” said Juan Andres Guerrero-Saade, one of the analysts who prepared the report, in a tweet on Thursday.
Rona Wilson’s legal team has moved court alleging that the evidence that the prosecution has presented against him was planted in his computer after it was hacked, following a report last year by another American cybersecurity company Arsenal Consulting.
The company had analysed a copy of the Wilson’s hard drive and found traces of a malware that Sentinel One identified as one of the traits of ModifiedElephant.