SentinelOne reports that a previously undisclosed advanced persistent threat (APT) actor has been conducting long-term monitoring operations against academics, activists, journalists, human rights defenders, and lawyers for about a decade.
The organisation, known as ModifiedElephant, is still active and is suspected of planting evidence that was later used to justify arrests.
The APT has been seen conducting phishing operations, primarily against Indian targets, and seeking to infect victims via emails containing macro-enabled Office documents.
The adversary’s tactics evolved over time, ranging from executable attachments with phoney double extensions to files containing publicly available exploits, and finally to sending URLs to files hosted on external servers to intended victims.
For the download and execution of malicious malware, some of the infected documents used exploits for vulnerabilities such as CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641. The files were organised around issues that were relevant to the target audience.
According to SentinelOne’s SentinelLabs, the attacks were mostly carried out using free email service providers such as Gmail and Yahoo, and the messages used various social engineering tactics to appear legitimate, including “fake body content with a forwarding history containing long lists of recipients.”
ModifiedElephant was very persistent in certain attempts, attempting to compromise the same target many times in a single day.
The threat actor employed “unsophisticated and rather basic” software to gain remote access and control over the systems of the victims. The APT primarily used the remote access trojans (RATs) NetWire and DarkComet, which have been used by a variety of adversaries.
According to SentinelLabs security researchers, the attackers also installed the Incubator keylogger on certain victims’ systems, and in some cases attempted to deliver both NetWire and Android malware payloads at the same time.
A file containing details of an assassination plan against Indian Prime Minister Narendra Modi was delivered over a NetWire RAT session tied to ModifiedElephant. Authorities eventually discovered the information on the computer of a person they had arrested.
“Within fifteen minutes of each other, ModifiedElephant was creating and organising essentially similar evidence across numerous unrelated victim systems,” the researchers claimed.
Elephant, according to the researchers, works in a crowded target environment and may be linked to other regional threat actors, but it’s unclear whether they work together – maybe under the same umbrella business – or if the parallels are just coincidences.
SentinelLabs states that many of ModifiedElephant’s targets have been targeted or infected with mobile surveillance spyware. Some of them are known to have been infected with NSO Group’s Pegasus software, which is linked to the Bhima Koregaon case.
The researchers discovered similarities in the timing and targets of several ModifiedElephant phishing attempts and those of SideWinder, a threat actor renowned for targeting enterprises, governments, and military groups in Asia.
Furthermore, some of the APT’s phishing payloads share infrastructure with Operation Hangover, an Indian national security monitoring programme.
SentinelLabs discovered a relationship between some of the APT’s attacks and “arrests of individuals in contentious, politically-charged cases,” as well as a correlation between some of the APT’s assaults and “arrests of individuals in controversial, politically-charged cases.”
“We looked at a tiny portion of the complete list of prospective targets, the attackers’ strategies, and a rare view into their goals in our ModifiedElephant profile. Many uncertainties remain regarding this threat actor and their actions; however, one thing is certain: critics of authoritarian governments around the world must carefully grasp the technical capabilities of those seeking to suppress them,” SentinelLabs concluded.