Modified elephant Hacker's technique to plant fake evidence in victims' computers
A recent study shows the tactics and techniques of a group of cybercrimes that are based on implanting incriminating evidence in activists' devices, whether to blackmail or silence them. This study examined India, according to a report by gizmodo website.
A report published this week by cybersecurity firm Sentinel One revealed additional details about the group, exposing the way its digital ploys have been used to monitor and target "rights activists, human rights defenders, academics and lawyers" across India.
The report states that for at least a decade, a shadowy hacker group has been targeting people across India, sometimes using its digital power to plant fabricated evidence of criminal activity on the devices of its victims, often using that fake evidence as a pretext to arrest victims.
Dubbed the ModifiedElephant, the group is largely linked to espionage, but sometimes steps in to identify its targets, apparently to frame them for crimes.
The researchers say the modified elephant group's goal is long-term surveillance that sometimes ends up leaving "evidence" - files incriminating the target for specific crimes - on their computers, before authorities make coordinated arrests.
The most prominent case related to this hacking group centers around the Maoist activist Rona Wilson and a group of her companions who were arrested by Indian security services in 2018 on charges of plotting to overthrow the government.
Evidence of the alleged plot, including a document detailing plans to assassinate the country's Prime Minister Narendra Modi, was found on Paulson's laptop.
This case, which gained greater publicity after it was covered by The Washington Post, especially after the above-mentioned laptop computer was analyzed by the Boston-based digital forensics firm Arsenal Consulting.
Arsenal eventually concluded that Wilson and all the alleged conspirators, as well as several other activists, had been targeted for digital manipulation.
In its special report, the company outlined the extent of the intrusion, linking “the attacker himself to a critical malware infrastructure deployed over a period of nearly 4 years, not only to attacking and endangering Ms. Wilson’s computer for 22 months, but to attacking the other defendants in the Pema Koregaon case, And the accused in other high-profile Indian cases as well."
How did the hackers put the documents in the victim's computer?
According to the Centennial One report, the Elephant Group uses common hacking tools and techniques to gain a foothold in the victims' computers.
Typically tailored to the victim's interests, phishing emails are loaded with malicious documents containing commercially available remote access tools called RAT, which are easy-to-use programs available on the dark web that can infect computers.
The modified elephant was proven to use DarkComet and Netwire, two popular brands.
Once the victim has been successfully deceived and the hackers' malware is downloaded onto the victims' computers, RAAT allows the elephant to gain full control over the victim's machine; They can quietly conduct surveillance or, as in Wilson's case, publish false incriminating documents.
As with anything in the hacker world, it's hard to know for sure who the hacker behind the "modified elephant" is. However, clear contextual evidence suggests that the group does take the "interests" of the Indian government into account.
"We note that modified elephant activity is highly consistent with the interests of the Indian state, and that there is a significant relationship between modified elephant attacks and arrests of individuals in controversial and political issues," the researchers wrote.