Skip to main content
Sabrang
Sabrang
Freedom India

Rona Wilson’s devices hacked by two groups of hackers employed by same entity: Sentinel Labs

California-based cybersecurity firm’s report says two separate groups were employed by same entity with “interests aligned with the Indian State”

Sabrangindia 10 Feb 2022

Rona Wilson

More skeletons are tumbling out of a closet in the matter pertaining to the allegations of malware and spyware planted on electronic devices used by activists implicated in the Bhima Koregaon case. Now, Sentinel Labs, another US-based cybersecurity firm (after Arsenal) has discovered more evidence of Rona Wilson’s devices being targeted.

According to Sentinel Labs, there are two separate sets of hackers who targeted Wilson’s devices. They were employed, possibly by the same entity that has “interests aligned with the Indian State”.

The curious case of the ModifiedElephant

One of the groups of hackers who targeted Wilson’s devices is an entity Sentinel Labs calls ModifiedElephant. A report by Sentinel Labs says, “ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.” They also found that “ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals,” and that “ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry.”

As far as the entity’s modus operandi goes, Sentinel Labs found that “The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that allow us to connect long periods of previously unattributed malicious activity.” The report further says, “This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,” adding on a chilling note, “ModifiedElephant is still active at the time of writing.”

The report further explained, “Their primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the malware of choice at the time,” adding, “The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service.”

Who is ModifiedElephant targeting and why?

According to Sentinel Labs, “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.” The report further says, “After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case.”

The report goes on to say, “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”

Other threat actors: What is SideWinder?

The second entity that popped up alongside Modified Elephant during Sentinel Lab’s investigation is SideWinder. According to Sentinel Labs, “Between February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be attributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.”

Activists implicated in Bhima Koregaon case targeted using malware and spyware

After it was discovered that Rona Wilson’s phone had been infected with the Pegasus spyware that was recently revealed to have been purchased by the Government of India as part of a 2-billion-dollar defence deal with Israel in 2017, there have been significant developments in the case.

Earlier this week, the National Investigation Agency (NIA) sought the special court’s permission to hand over the devices of seven activists including Wilson to a special Committee constituted by the Indian Supreme Court to probe allegations related to the Pegasus scandal. The seven activists whose phones the NIA wants examined are: Anand Teltumbde, Hany Babu, Rona Wilson, Shoma Sen, Sudha Bharadwaj and Vernon Gonsalves. Of these, only Bharadwaj is out on bail. Together these seven people have 26 devices that were seized, first by the Pune Police and then by the NIA.

An electronic copy of Rona Wilson’s laptop was first examined by US-based digital forensics firm Arsenal. In February 2021 it was revealed that an attacker used malware to infiltrate the laptop and place incriminating evidence on it. According to Arsenal’s report, “Rona Wilson’s computer was compromised for just over 22 months.” They also found, “The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

Then in December 2021 it came to light that an analysis by the Amnesty International’s Security Lab revealed that two backups of an iPhone 6 belonging to Wilson had “digital traces showing infection by the Pegasus surveillance tool”, something that by Pegasus’s own admission was licenced only to vetted governments. The phone backups were shared with the Amnesty team by Arsenal.

Finally, a New York Times expose shed light on how the Government of India had purchased the Pegasus software as part of a package included in a $2 billion defence deal with Israel in 2017, thus bringing the entire controversy full circle.

Related:

Bhima Koregaon: NIA seeks permission to hand over phones of 7 accused to Pegasus Committee

Pegasus scandal: Did GoI engage in an elaborate cover-up?

Pegasus scandal: SC stays Justice Lokur Commission probe

Defence Ministry has had no transaction with Pegasus developer NSO Group: Centre in RS

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe   

Rona Wilson’s devices hacked by two groups of hackers employed by same entity: Sentinel Labs

California-based cybersecurity firm’s report says two separate groups were employed by same entity with “interests aligned with the Indian State”

Rona Wilson

More skeletons are tumbling out of a closet in the matter pertaining to the allegations of malware and spyware planted on electronic devices used by activists implicated in the Bhima Koregaon case. Now, Sentinel Labs, another US-based cybersecurity firm (after Arsenal) has discovered more evidence of Rona Wilson’s devices being targeted.

According to Sentinel Labs, there are two separate sets of hackers who targeted Wilson’s devices. They were employed, possibly by the same entity that has “interests aligned with the Indian State”.

The curious case of the ModifiedElephant

One of the groups of hackers who targeted Wilson’s devices is an entity Sentinel Labs calls ModifiedElephant. A report by Sentinel Labs says, “ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.” They also found that “ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals,” and that “ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry.”

As far as the entity’s modus operandi goes, Sentinel Labs found that “The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that allow us to connect long periods of previously unattributed malicious activity.” The report further says, “This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,” adding on a chilling note, “ModifiedElephant is still active at the time of writing.”

The report further explained, “Their primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the malware of choice at the time,” adding, “The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service.”

Who is ModifiedElephant targeting and why?

According to Sentinel Labs, “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.” The report further says, “After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case.”

The report goes on to say, “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”

Other threat actors: What is SideWinder?

The second entity that popped up alongside Modified Elephant during Sentinel Lab’s investigation is SideWinder. According to Sentinel Labs, “Between February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be attributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.”

Activists implicated in Bhima Koregaon case targeted using malware and spyware

After it was discovered that Rona Wilson’s phone had been infected with the Pegasus spyware that was recently revealed to have been purchased by the Government of India as part of a 2-billion-dollar defence deal with Israel in 2017, there have been significant developments in the case.

Earlier this week, the National Investigation Agency (NIA) sought the special court’s permission to hand over the devices of seven activists including Wilson to a special Committee constituted by the Indian Supreme Court to probe allegations related to the Pegasus scandal. The seven activists whose phones the NIA wants examined are: Anand Teltumbde, Hany Babu, Rona Wilson, Shoma Sen, Sudha Bharadwaj and Vernon Gonsalves. Of these, only Bharadwaj is out on bail. Together these seven people have 26 devices that were seized, first by the Pune Police and then by the NIA.

An electronic copy of Rona Wilson’s laptop was first examined by US-based digital forensics firm Arsenal. In February 2021 it was revealed that an attacker used malware to infiltrate the laptop and place incriminating evidence on it. According to Arsenal’s report, “Rona Wilson’s computer was compromised for just over 22 months.” They also found, “The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

Then in December 2021 it came to light that an analysis by the Amnesty International’s Security Lab revealed that two backups of an iPhone 6 belonging to Wilson had “digital traces showing infection by the Pegasus surveillance tool”, something that by Pegasus’s own admission was licenced only to vetted governments. The phone backups were shared with the Amnesty team by Arsenal.

Finally, a New York Times expose shed light on how the Government of India had purchased the Pegasus software as part of a package included in a $2 billion defence deal with Israel in 2017, thus bringing the entire controversy full circle.

Related:

Bhima Koregaon: NIA seeks permission to hand over phones of 7 accused to Pegasus Committee

Pegasus scandal: Did GoI engage in an elaborate cover-up?

Pegasus scandal: SC stays Justice Lokur Commission probe

Defence Ministry has had no transaction with Pegasus developer NSO Group: Centre in RS

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe   

Related Articles

Sunday

03

Jan

Pan-India

Saturday

05

Dec

05 pm onwards

Rise in Rage!

North Gate, JNU campus

Thursday

26

Nov

10 am onwards

Delhi Chalo

Pan India

Theme

Stop Hate

Hate and Harmony in 2021

A recap of all that transpired across India in terms of hate speech and even outright hate crimes, as well as the persecution of those who dared to speak up against hate. This disturbing harvest of hate should now push us to do more to forge harmony.
Taliban 2021

Taliban in Afghanistan: A look back

Communalism Combat had taken a deep dive into the lives of people of Afghanistan under the Taliban regime. Here we reproduce some of our archives documenting the plight of hapless Afghanis, especially women, who suffered the most under the hardline regime.
2020

Milestones 2020

In the year devastated by the Covid 19 Pandemic, India witnessed apathy against some of its most marginalised people and vilification of dissenters by powerful state and non state actors. As 2020 draws to a close, and hundreds of thousands of Indian farmers continue their protest in the bitter North Indian cold. Read how Indians resisted all attempts to snatch away fundamental and constitutional freedoms.
Migrant Diaries

Migrant Diaries

The 2020 COVID pandemic brought to fore the dismal lives that our migrant workers lead. Read these heartbreaking stories of how they lived before the pandemic, how the lockdown changed their lives and what they’re doing now.

Campaigns

Sunday

03

Jan

Pan-India

Saturday

05

Dec

05 pm onwards

Rise in Rage!

North Gate, JNU campus

Thursday

26

Nov

10 am onwards

Delhi Chalo

Pan India

IN FACT

Analysis

Stop Hate

Hate and Harmony in 2021

A recap of all that transpired across India in terms of hate speech and even outright hate crimes, as well as the persecution of those who dared to speak up against hate. This disturbing harvest of hate should now push us to do more to forge harmony.
Taliban 2021

Taliban in Afghanistan: A look back

Communalism Combat had taken a deep dive into the lives of people of Afghanistan under the Taliban regime. Here we reproduce some of our archives documenting the plight of hapless Afghanis, especially women, who suffered the most under the hardline regime.
2020

Milestones 2020

In the year devastated by the Covid 19 Pandemic, India witnessed apathy against some of its most marginalised people and vilification of dissenters by powerful state and non state actors. As 2020 draws to a close, and hundreds of thousands of Indian farmers continue their protest in the bitter North Indian cold. Read how Indians resisted all attempts to snatch away fundamental and constitutional freedoms.
Migrant Diaries

Migrant Diaries

The 2020 COVID pandemic brought to fore the dismal lives that our migrant workers lead. Read these heartbreaking stories of how they lived before the pandemic, how the lockdown changed their lives and what they’re doing now.

Archives