top of page
  • Writer's pictureORNA

Hackers Plant Fake Digital Evidence in Campaign Targeting Human Rights Activists

Recently, an unknown group of hackers has targeted human rights activists, lawyers, and journalists across India by planting fabricated digital evidence on their devices. One of the targets was the outspoken Indian human rights activist and government critic, Rona Wilson.

The list of victims includes a well-known academic, a labor lawyer, two singers, a Jesuit priest, and a leftist poet. Each victim works to advocate for the rights of impoverished communities within India and vocalizes criticism against the ruling party. Many of them have suffered persecution and incarceration for nearly three years while they await trial hearings.

Needless to say, we are living in a world where state-backed threat actors or politically motivated hacking groups operating independently can wage war against members of society. I’m not talking about the common variety of cyberattacks we see, where gaining illicit money is the goal, but something far more malicious.

Everybody knows that prominent journalists and outspoken activists are oftentimes prime targets of hostile state powers. After all, if people begin to think or behave a certain way, then an element of damage control has to be enacted in order to keep certain opponents from rising, to minimize the influence of their ideologies, ideas, and so forth.

While historic instances of the above could amount to a dissertation, these kinds of activities aren’t exclusive to hostile states and can be executed just as well by hacktivists who hold an oppositional view to a political party and the individuals that hold a popular political view or ideology counter to their own.

Tracking Threats

According to a report published by the US cybersecurity firm SentinelOne, they have identified whom they believe fits the modus operandi of an Advanced Persistent Threat (APT) group that has persistently targeted specific individuals in India. Designated by the codename “ModifiedElephant” by researchers responsible for investigating the group.

An important note to make mention is that the malware used by ModifiedElephant doesn’t match the same level of sophistication of the Pegasus spyware used by the Israeli tech firm, NSO group.

This does not diminish the level of resourcefulness carried out by the group. The report reveals that ModifiedElephant has been in operation since “at least 2012” and is able to weaponize off-the-shelf remote access trojans (RATS).

This allows the group to insert fabricated evidence directly on the phones and devices owned by their victims. The report mentioned that it is possible that the APT group has ties to the commercial surveillance industry. According to researchers in the report --

“We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases”,

In the case of Wilson, the researchers mentioned that Wilson was the target of two specific cyberattacks. Specifically, one of the attacks can be directly linked to voluminously documented cyber-espionage campaigns focused on military targets situated in China, and Pakistan.

Analyzing the Malware

According to the report, researchers describe the malware used by ModifiedElephant as “unsophisticated and downright mundane.” Regardless of the tools they use, the consequences aren’t any less severe. With tools that can be easily obtained, they are able to gain remote access and maintain absolute control of the infected devices.

The malware families being used in their campaigns are known as NetWire and DarkComet, both of which as remote access trojans that anyone can download, and consequently have maintained a presence for a long time due to abuse by threat actors, regardless of skill sets.

NetWire, for example, is cross-compatible with Windows, Linux, and macOS. It’s been popularly used in large-scale phishing attacks and comes with password-stealing and keylogging functionality. It can be distributed as a final payload using Microsoft Word documents.

In this case, the threat actors managed to install the malware through social engineering and phishing attacks catered to appeal to their targets, which focused on themes believed to draw them to interact with it. The malicious files were utilized to continue delivering malware that changed over the years in order to maintain an undetectable non-presence on the victim’s devices. Researchers at SentinelOne said --

"This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,"

The Case of Activist Rona Wilson

Rona Wilson has been in the cross-hairs of hackers as far back as 2013, according to a report published last year. On June 6, 2018, India was rocked by the news that Wilson had been arrested on terrorism charges.

However, researchers at Arsenal Consulting, a Massachusetts digital forensics firm, discovered proof of foul play after examining an electronic copy of the laptop’s contents and NetWire malware behind the planting of fabricated evidence on the device.

Over 30 documents were uncovered, containing fictitious incriminating ties to terrorism. Wilson has been imprisoned for nearly four years for his believed connection to the Elgaar Parishad case.

According to a prior analysis by Arsenal, the firm uncovered that ten letters had been deliberately uploaded onto Wilson's laptop, one of which included discussions on an alleged assassination plot against Narendra Modi, a former prime minister. Additionally, Arsenal found 22 other documents that were also uploaded by the unknown threat actor to Wilson's laptop.

Further analysis showed that two backups of an iPhone that belonged to Wilson had evidence that demonstrated infection by Pegasus, which means Wilson's iPhone was targeted and broken into by threat actors prior to his arrest by the Pune Police, in 2018. Therefore, Pegasus was used for the intrusion. NetWire RAT was used to spy and drop incriminating evidence on his iPhone.

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page