ModifiedElephant APT hackers plant incriminating evidence on victims devices

ModifiedElephant APT hackers plant incriminating evidence on victims devices

ModifiedElephant APT group has been carrying out its malicious activities since 2012 and successfully evading detection for over a decade.

The IT security researchers at SentinelLabs have revealed details of an advanced persistent threat (APT) group that’s been hijacking the devices of lawyers, educationists, defenders, journalists, and civil rights activists since 2012.

According to SentinelLabs’ report, the group, dubbed ModifiedElephant, plants ‘incriminating evidence’ on its targets’ devices.

About ModifiedElephant’s Cybercrimes

According to researchers, the APT group that evaded detection for a decade has been involved in widespread cyberattacks in India, and the group has persistently targeted high-profile personalities.

Interestingly, the group doesn’t focus on data theft but surveillance. After invading its victim’s device, ModifiedElephant implants files that could be used to prosecute the individual, apart from spying on their activities.

Researchers at SentinelLabs believe that the group’s primary objective is to carry out “long-term surveillance” that usually concludes with the “delivery of evidence.’ This evidence incriminates the victim in specific crimes.

Researchers wrote that there’s an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”

“After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case,” SentinelLabs wrote in its report.

Attack Tactics

SentinelLabs claims that ModifiedElephant APT has targeted hundreds of individuals and groups. Their attack tactics involve spearphishing emails using popular email services providers like Yahoo and Gmail to start the infection chain.

“The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service,” researchers noted.

The emails contain documents embedded with DarkComet or NetWire RATs, keyloggers, and an unidentified Android Trojan.

ModifiedElephant APT hackers plant incriminating evidence on victims devices
One of the spearphishing emails attributed to ModifiedElephant containing a malicious attachment (Image: SentinelLabs)

Two Entities Identified

Researchers claim that the malware ModifiedElephant uses is mundane and not as sophisticated as expected, but some of its victims have been targeted with NSO Group’s controversial Pegasus spyware.

One such victim was Rona Wilson, whose phone was infected with the Pegasus spyware, which the government of India purchased in its 2 billion-dollar defense deal with Israel back in 2017. The report also revealed that the activities of the APT group are sharply in line with “Indian state interests.”

According to SentinelLabs, a second entity is rigging the phones of those involved in the Koregaon case. This entity was identified to be SideWinder. Between Feb 2013 and Jan 2014, both SideWinder and ModifiedElephant targeted Rona Wilson.

The victim receives phishing emails from SideWinder, and around the same timeframe, ModifiedElephant also invaded Wilson’s device. Researchers suspect that a single entity hired both the hacker groups or these groups could be connected.

“The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.”

More malware news on

Gionee subsidiary implanted malware in over 20 million phones

Hezbollah linked hackers hit companies in global malware attack

$120 charging cable O.MG remotely steals data from Apple devices

“Operation Poisoned News” infecting iPhones with LightSpy spyware

NSO zero-click iMessage exploit hacks iPhone without need to click links

Related Posts