Researchers on Wednesday discovered an advanced persistent threat group that targeted Indian dissidents and remained undetected for a decade or more, starting with simple phishing lures some 10 years ago and then graduating to providing links to files hosted externally in the cloud for manual download and execution by the victims.
In a blog post, SentinelLabs researchers reported on ModifiedElephant, which has been operating since at least 2012. The researchers said the threat group operates through the use of commercially available remote access trojans and has ties to the commercial surveillance industry.
The threat actor uses spearphishing with malicious documents to deliver malware such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that helped the researchers connect the dots to previously unattributed malicious activity.
ModifiedElephant’s activities have been traced to long-standing political tensions in India, which exploded on Jan. 1, 2018, when critics of the government clashed with pro-government supporters near Bhima Koregaon. Later in 2018, raids conducted by police led to several arrests and the seizure of computer systems, which revealed incriminating files that pointed to an alleged plot against Indian Prime Minister Narendra Modi.
Thanks to the public release of digital forensic investigation results by Arsenal Consulting and those detailed in SentinelLabs blog, the researchers allege that ModifiedElephant compromised the computers that were later seized, planting files that were used as evidence to justify the imprisonment of the defendants. Over a decade or more, the group targeted human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence — and they are still operating today.
The case has become part of a larger trend of private and commercial company’s copying government and nation-state methodologies, persistently looking to penetrate into politically involved individuals, said Gadi Naveh, cyber data scientist at Canonic. Naveh said although most of the tools described aren’t top grade, continuous fueling of the attack eventually gets the target and larger funding gets even better tools, as was implied by Amnesty International.
“We assume these tools and methods that move from nation-states to commercial organizations will keep answering the demand and available funds for getting data,” Naveh said. "The move of data to the cloud makes the top-tier actor act there, but as with RATs and keyloggers, we are seeing the same military-grade tools moving after the new data sources in the cloud.”
Daniel Almendros, cyber threat intelligence analyst at Digital Shadows, added that he and his team view ModifiedElephant as a fascinating, albeit dangerous actor. Almendros said ModifiedElephant has a wide range of tools in its arsenal that it uses to target a large number of victims. They use a blend of off-the- shelf tools (NetWire and DarkComet RATs), paired with spearphishing emails related to the sensitive 2018 Bhima Koregaon affair.
“The phishing lures have improved in subtlety as well as boldness, they have shifted from fake double extension file names to commonly used Office filenames,” Almendros said. “In one instance, an assassination attempt story was added to provoke the user to click on the phishing lure. These emails were distributed to many different users. The group likely has a connection with Indian state espionage. Because most APT attention stems from China and Russia-based threats, ModifiedElephant was initially overlooked for years. In addition, the group's specific targeting and use of commodity malware helped the group evade detection for a prolonged period.”