wordpress blog stats
Connect with us

Hi, what are you looking for?

Bhima Koregaon accused Rona Wilson was targeted not just by Pegasus, but two other threat actors: Report

Research by security experts identified emails with malicious attachments as the hackers’ MO.


Besides Pegasus spyware, hacking groups such as ModifiedElephant and SideWinder targeted Rona Wilson, the activist who was arrested in the Bhima Koregaon case, according to a report by cybersecurity firm SentinelOne. This was first reported by The Washington Post.

The SentinelOne report is an extension of the Arsenal Consulting report that claimed to have found the presence of Israel-based NSO Group’s Pegasus spyware in Wilson’s smartphone. SentinelOne said that between February 2013 and January 2014, Wilson received phishing emails from the SideWinder threat actor.

“The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.” — SentinelOne

These revelations are significant because Sidewinder, according to Mitre.org, is a State-sponsored threat actor group that has been targeting government, military, and business entities primarily in Pakistan and China. The report’s findings are also likely to cast serious aspersions on the National Investigation Agency’s case and the electronic evidence it has against Rona Wilson.

ModifiedElephant carries out long-term surveillance: SentinelOne

“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes– prior to conveniently-coordinated arrests.” — SentinelOne report

Through the last decade, ModifiedElephant infected its targets via spear-phishing emails with malicious attachments, the report said, adding that its techniques have evolved over time. Here’s a closer look at its modus operandi, as uncovered by SentinelOne:

  • Mid-2013: The threat actor used phishing emails containing executable file attachments with fake double extensions (filename.pdf.exe).
  • 2015: The actor moved on to less obvious files containing publicly available exploits, such as .doc, .pps, .docx, .rar, and password protected .rar files.
  • 2019: In a phishing campaign around that time, ModifiedElephant operators took the approach of providing links to files hosted externally for manual download and execution by the target, the report said.
  • The attacker also made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection, the report added.

Source: SentinelOne report

The payloads of these phishing emails by ModifiedElephant share infrastructure with Operation Hangover. SentinelOne described Operation Hangover as a threat actor whose “activity includes surveillance efforts against targets of interest to Indian national security, both foreign and domestic…”

The Washington Post reported that Wilson received at least 32 malware-laden emails from ModifiedElephant. Similarly, SideWinder sent at least four malicious emails to Wilson between 2013 to 2014, the report said, attributing the findings to SentinelOne.

Advertisement. Scroll to continue reading.

What malware was inside these emails?

“The malware most used by ModifiedElephant is unsophisticated and downright mundane, and yet it has proven sufficient for their objectives– obtaining remote access and unrestricted control of victims’ machines.” — SentinelOne report

The primary malware, which are also publicly available, that were deployed:

  • NetWire
  • DarkComet

SentinelOne observed particular activities of this malware around a file named LTR_1804_to_cc.pdf  “which contains details of an assassination plot against Prime Minister Modi’”.  This was one of the key pieces of evidence on the basis of which the National Investigating Agency arrested Wilson and others in the Bhima Koregaon case. SentintelOne said that this file was delivered in handsets using the NetWire malware associated with ModifiedElephant.

ModifiedElephant also delivered an Android Malware.”The Android malware is an unidentified commodity trojan delivered as an APK file,” the report said.

What did the Arsenal Consulting report say?

“Arsenal found Pegasus (spyware) indicators on the Windows volume of Mr. Rona Wilson’s computer in two iTunes backups from an iPhone 6s [which belongs to Rona Wilson],” the report said. These indicators carried timestamps from July 5, 2017 to April 10, 2018, it added.

Arsenal Consulting was hired by Rona Wilson’s defence counsel to investigate and analyse electronic evidence seized from Wilson’s home by the Pune police department in 2018. The firm has released a total of four reports to date, detailing the extent to which Wilson’s electronic devices were targeted by the attackers:

  • The first report released by Arsenal in February this year said that malware (NetWire RAT) was installed on Rona Wilson’s computer two years before he was arrested by Pune Police.
  • The investigating authorities claimed to have found 10 incriminating letters revealing an alleged plot to assassinate the Prime Minister and overthrow the government.
  • The agencies arrested several activists and academics based on the evidence recovered from Wilson’s computers.
  • The forensic investigation discovered that the computer had been compromised for 22 months, which meant that the attackers had “extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

Also Read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.


The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ