More skeletons are tumbling out of a closet in the matter pertaining to the allegations of malware and spyware planted on electronic devices used by activists implicated in the Bhima Koregaon case. Now, Sentinel Labs, another US-based cybersecurity firm (after Arsenal) has discovered more evidence of Rona Wilson’s devices being targeted.
According to Sentinel Labs, there are two separate sets of hackers who targeted Wilson’s devices. They were employed, possibly by the same entity that has “interests aligned with the Indian State”.
The curious case of the ModifiedElephant
One of the groups of hackers who targeted Wilson’s devices is an entity Sentinel Labs calls ModifiedElephant. A report by Sentinel Labs says, “ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.” They also found that “ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals,” and that “ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry.”
As far as the entity’s modus operandi goes, Sentinel Labs found that “The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that allow us to connect long periods of previously unattributed malicious activity.” The report further says, “This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,” adding on a chilling note, “ModifiedElephant is still active at the time of writing.”
The report further explained, “Their primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the malware of choice at the time,” adding, “The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service.”
Who is ModifiedElephant targeting and why?
According to Sentinel Labs, “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.” The report further says, “After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case.”
The report goes on to say, “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”
Other threat actors: What is SideWinder?
The second entity that popped up alongside Modified Elephant during Sentinel Lab’s investigation is SideWinder. According to Sentinel Labs, “Between February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be attributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.”
Activists implicated in Bhima Koregaon case targeted using malware and spyware
After it was discovered that Rona Wilson’s phone had been infected with the Pegasus spyware that was recently revealed to have been purchased by the Government of India as part of a 2-billion-dollar defence deal with Israel in 2017, there have been significant developments in the case.
Earlier this week, the National Investigation Agency (NIA) sought the special court’s permission to hand over the devices of seven activists including Wilson to a special Committee constituted by the Indian Supreme Court to probe allegations related to the Pegasus scandal. The seven activists whose phones the NIA wants examined are: Anand Teltumbde, Hany Babu, Rona Wilson, Shoma Sen, Sudha Bharadwaj and Vernon Gonsalves. Of these, only Bharadwaj is out on bail. Together these seven people have 26 devices that were seized, first by the Pune Police and then by the NIA.
An electronic copy of Rona Wilson’s laptop was first examined by US-based digital forensics firm Arsenal. In February 2021 it was revealed that an attacker used malware to infiltrate the laptop and place incriminating evidence on it. According to Arsenal’s report, “Rona Wilson’s computer was compromised for just over 22 months.” They also found, “The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”
Then in December 2021 it came to light that an analysis by the Amnesty International’s Security Lab revealed that two backups of an iPhone 6 belonging to Wilson had “digital traces showing infection by the Pegasus surveillance tool”, something that by Pegasus’s own admission was licenced only to vetted governments. The phone backups were shared with the Amnesty team by Arsenal.
Finally, a New York Times expose shed light on how the Government of India had purchased the Pegasus software as part of a package included in a $2 billion defence deal with Israel in 2017, thus bringing the entire controversy full circle.
Related:
Bhima Koregaon: NIA seeks permission to hand over phones of 7 accused to Pegasus Committee
Pegasus scandal: Did GoI engage in an elaborate cover-up?
Pegasus scandal: SC stays Justice Lokur Commission probe
Defence Ministry has had no transaction with Pegasus developer NSO Group: Centre in RS
Centre refuses to disclose use of Pegasus in affidavit, pleads national security
Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking
Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe