wordpress blog stats
Connect with us

Hi, what are you looking for?

Bhima Koregaon accused Rona Wilson was targeted not just by Pegasus, but two other threat actors: Report

Research by security experts identified emails with malicious attachments as the hackers’ MO.

Hacked

Besides Pegasus spyware, hacking groups such as ModifiedElephant and SideWinder targeted Rona Wilson, the activist who was arrested in the Bhima Koregaon case, according to a report by cybersecurity firm SentinelOne. This was first reported by The Washington Post.

The SentinelOne report is an extension of the Arsenal Consulting report that claimed to have found the presence of Israel-based NSO Group’s Pegasus spyware in Wilson’s smartphone. SentinelOne said that between February 2013 and January 2014, Wilson received phishing emails from the SideWinder threat actor.

“The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.” — SentinelOne

These revelations are significant because Sidewinder, according to Mitre.org, is a State-sponsored threat actor group that has been targeting government, military, and business entities primarily in Pakistan and China. The report’s findings are also likely to cast serious aspersions on the National Investigation Agency’s case and the electronic evidence it has against Rona Wilson.

ModifiedElephant carries out long-term surveillance: SentinelOne

“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes– prior to conveniently-coordinated arrests.” — SentinelOne report

Through the last decade, ModifiedElephant infected its targets via spear-phishing emails with malicious attachments, the report said, adding that its techniques have evolved over time. Here’s a closer look at its modus operandi, as uncovered by SentinelOne:

  • Mid-2013: The threat actor used phishing emails containing executable file attachments with fake double extensions (filename.pdf.exe).
  • 2015: The actor moved on to less obvious files containing publicly available exploits, such as .doc, .pps, .docx, .rar, and password protected .rar files.
  • 2019: In a phishing campaign around that time, ModifiedElephant operators took the approach of providing links to files hosted externally for manual download and execution by the target, the report said.
  • The attacker also made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection, the report added.

Source: SentinelOne report

The payloads of these phishing emails by ModifiedElephant share infrastructure with Operation Hangover. SentinelOne described Operation Hangover as a threat actor whose “activity includes surveillance efforts against targets of interest to Indian national security, both foreign and domestic…”

The Washington Post reported that Wilson received at least 32 malware-laden emails from ModifiedElephant. Similarly, SideWinder sent at least four malicious emails to Wilson between 2013 to 2014, the report said, attributing the findings to SentinelOne.

Advertisement. Scroll to continue reading.

What malware was inside these emails?

“The malware most used by ModifiedElephant is unsophisticated and downright mundane, and yet it has proven sufficient for their objectives– obtaining remote access and unrestricted control of victims’ machines.” — SentinelOne report

The primary malware, which are also publicly available, that were deployed:

  • NetWire
  • DarkComet

SentinelOne observed particular activities of this malware around a file named LTR_1804_to_cc.pdf  “which contains details of an assassination plot against Prime Minister Modi’”.  This was one of the key pieces of evidence on the basis of which the National Investigating Agency arrested Wilson and others in the Bhima Koregaon case. SentintelOne said that this file was delivered in handsets using the NetWire malware associated with ModifiedElephant.

ModifiedElephant also delivered an Android Malware.”The Android malware is an unidentified commodity trojan delivered as an APK file,” the report said.

What did the Arsenal Consulting report say?

“Arsenal found Pegasus (spyware) indicators on the Windows volume of Mr. Rona Wilson’s computer in two iTunes backups from an iPhone 6s [which belongs to Rona Wilson],” the report said. These indicators carried timestamps from July 5, 2017 to April 10, 2018, it added.

Arsenal Consulting was hired by Rona Wilson’s defence counsel to investigate and analyse electronic evidence seized from Wilson’s home by the Pune police department in 2018. The firm has released a total of four reports to date, detailing the extent to which Wilson’s electronic devices were targeted by the attackers:

  • The first report released by Arsenal in February this year said that malware (NetWire RAT) was installed on Rona Wilson’s computer two years before he was arrested by Pune Police.
  • The investigating authorities claimed to have found 10 incriminating letters revealing an alleged plot to assassinate the Prime Minister and overthrow the government.
  • The agencies arrested several activists and academics based on the evidence recovered from Wilson’s computers.
  • The forensic investigation discovered that the computer had been compromised for 22 months, which meant that the attackers had “extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

Also Read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?

News

A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'

News

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

News

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

News

Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ