For at least a decade, a shadowy hacker group has been targeting people throughout India, sometimes using its digital powers to plant fabricated evidence of criminal activity on their devices. That phony evidence has, in turn, often provided a pretext for the victims’ arrest.
A report published this week by cybersecurity firm Sentinel One reveals additional details about the group, illuminating the way in which its digital dirty tricks have been used to surveil and target “human rights activists, human rights defenders, academics, and lawyers” throughout India.
The group, which researchers have dubbed “ModifiedElephant,” is largely preoccupied with spying, but sometimes it intervenes to apparently frame its targets for crimes. Researchers write:
The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.
The most prominent case involving Elephant centers around Maoist activist Rona Wilson and a group of his associates who, in 2018, were arrested by India security services and accused of plotting to overthrow the government. Evidence for the supposed plot—including a word document detailing plans to assassinate the nation’s prime minister, Narendra Modi—was found on the Wilson’s laptop. However, later forensic analysis of the device showed that the documents were actually fake and had been artificially planted using malware. According to Sentinel researchers, it was Elephant that put them there.
This case, which gained greater exposure after being covered by the Washington Post, was blown open after the aforementioned laptop was analyzed by a digital forensics firm, Boston-based Arsenal Consulting. Arsenal ultimately concluded that Wilson and all of his so-called co-conspirators, as well as many other activists, had been targeted with digital manipulation. In a report, the company explained how extensive the intrusion was:
Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to…