Besides Pegasus spyware, hacking groups such as ModifiedElephant and SideWinder targeted Rona Wilson, the activist who was arrested in the Bhima Koregaon case, according to a report by cybersecurity firm SentinelOne. This was first reported by The Washington Post.
The SentinelOne report is an extension of the Arsenal Consulting report that claimed to have found the presence of Israel-based NSO Group’s Pegasus spyware in Wilson’s smartphone. SentinelOne said that between February 2013 and January 2014, Wilson received phishing emails from the SideWinder threat actor.
“The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.” — SentinelOne
These revelations are significant because Sidewinder, according to Mitre.org, is a State-sponsored threat actor group that has been targeting government, military, and business entities primarily in Pakistan and China. The report’s findings are also likely to cast serious aspersions on the National Investigation Agency’s case and the electronic evidence it has against Rona Wilson.
ModifiedElephant carries out long-term surveillance: SentinelOne
“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes– prior to conveniently-coordinated arrests.” — SentinelOne report
Through the last decade, ModifiedElephant infected its targets via spear-phishing emails with malicious attachments, the report said, adding that its techniques have evolved over time. Here’s a closer look at its modus operandi, as uncovered by SentinelOne:
- Mid-2013: The threat actor used phishing emails containing executable file attachments with fake double extensions (filename.pdf.exe).
- 2015: The actor moved on to less obvious files containing publicly available exploits, such as .doc, .pps, .docx, .rar, and password protected .rar files.
- 2019: In a phishing campaign around that time, ModifiedElephant operators took the approach of providing links to files hosted externally for manual download and execution by the target, the report said.
- The attacker also made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection, the report added.
The payloads of these phishing emails by ModifiedElephant share infrastructure with Operation Hangover. SentinelOne described Operation Hangover as a threat actor whose “activity includes surveillance efforts against targets of interest to Indian national security, both foreign and domestic…”
The Washington Post reported that Wilson received at least 32 malware-laden emails from ModifiedElephant. Similarly, SideWinder sent at least four malicious emails to Wilson between 2013 to 2014, the report said, attributing the findings to SentinelOne.
What malware was inside these emails?
“The malware most used by ModifiedElephant is unsophisticated and downright mundane, and yet it has proven sufficient for their objectives– obtaining remote access and unrestricted control of victims’ machines.” — SentinelOne report
The primary malware, which are also publicly available, that were deployed:
SentinelOne observed particular activities of this malware around a file named LTR_1804_to_cc.pdf “which contains details of an assassination plot against Prime Minister Modi’”. This was one of the key pieces of evidence on the basis of which the National Investigating Agency arrested Wilson and others in the Bhima Koregaon case. SentintelOne said that this file was delivered in handsets using the NetWire malware associated with ModifiedElephant.
ModifiedElephant also delivered an Android Malware.”The Android malware is an unidentified commodity trojan delivered as an APK file,” the report said.
What did the Arsenal Consulting report say?
“Arsenal found Pegasus (spyware) indicators on the Windows volume of Mr. Rona Wilson’s computer in two iTunes backups from an iPhone 6s [which belongs to Rona Wilson],” the report said. These indicators carried timestamps from July 5, 2017 to April 10, 2018, it added.
Arsenal Consulting was hired by Rona Wilson’s defence counsel to investigate and analyse electronic evidence seized from Wilson’s home by the Pune police department in 2018. The firm has released a total of four reports to date, detailing the extent to which Wilson’s electronic devices were targeted by the attackers:
- The first report released by Arsenal in February this year said that malware (NetWire RAT) was installed on Rona Wilson’s computer two years before he was arrested by Pune Police.
- The investigating authorities claimed to have found 10 incriminating letters revealing an alleged plot to assassinate the Prime Minister and overthrow the government.
- The agencies arrested several activists and academics based on the evidence recovered from Wilson’s computers.
- The forensic investigation discovered that the computer had been compromised for 22 months, which meant that the attackers had “extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”
- Debt-ridden NSO Group may shut down controversial Pegasus spyware unit amidst growing list of challenges
- Pegasus Probe: SC-appointed committee reaches out to targeted people with a request
- Supreme Court appoints committee to investigate Pegasus in India; “State does not get a free pass”
- UN Human Rights Council faces pressure to denounce and investigate Pegasus surveillance
Have something to add? Subscribe to MediaNama here and post your comment.