These cybercriminals plant criminal evidence on human rights defender, lawyer devices

There's more than one way to silence civil rights activists, it seems.
Written by Charlie Osborne, Contributing Writer

Cybercriminals are hijacking the devices of civil rights activists and planting "incriminating evidence" in covert cyberattacks, researchers warn.

According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. 

The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest. 

However, rather than focusing on data theft, the APT's activities are far more sinister: once inside a victim's machine, the group conducts surveillance and may plant incriminating files later used to prosecute individuals.

"The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of 'evidence' -- files that incriminate the target in specific crimes -- prior to conveniently coordinated arrests," the researchers say.

SentinelLabs has identified "hundreds of groups and individuals" targeted by the APT.

ModifiedElephant starts an infection chain with spear-phishing emails. These emails contain documents laden with malware, including the NetWire and DarkComet remote access trojans (RATs), as well as keyloggers and an Android Trojan. 

SentinelLabs has connected the dots between previously unattributable attacks and says that while ModifiedElephant has operated under the radar for so long, there is an "observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases."

While the malware used by the threat actors is considered "mundane" and not particularly sophisticated, a number of the APT's victims have also been targeted with NSO Group's Pegasus surveillanceware, the subject of an explosive investigation by Amnesty International, Forbidden Stories, and various media outlets in 2021.

While attribution isn't concrete, the team says that ModifiedElephant activity "aligns sharply with Indian state interests." 

"Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them," SentinelLabs cautioned. "A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards