A recently identified hacking group has been associated with targeted cyber operations against human rights activists, academics, and legal professionals in India. This activity appears aimed at implanting false digital evidence against these individuals.
The cybersecurity firm SentinelOne has linked these attacks to a group it monitors under the name “ModifiedElephant.” This threat actor has been active since at least 2012 and exhibits behavior that appears to align closely with interests of the Indian state.
According to SentinelOne’s findings, ModifiedElephant utilizes accessible remote access trojans (RATs) and may have connections to the commercial surveillance sector. Their strategies often involve spear-phishing, delivering malware through malicious documents—including well-known strains like NetWire and DarkComet. These tactics align with MITRE ATT&CK frameworks particularly in areas like initial access via phishing and subsequent execution of payloads.
The ultimate objective of ModifiedElephant is long-term surveillance of selected individuals. This enables attackers to fabricate evidence on compromised systems, potentially leading to false accusations and incarceration of targeted activists.
Among notable victims are individuals linked to the controversial 2018 Bhima Koregaon violence in Maharashtra, according to SentinelOne researchers Tom Hegel and Juan Andres Guerrero-Saade. The attack patterns reveal a relentless approach to infect targets—sometimes several times within a single day—via phishing emails tied to activism, climate issues, and political matters. These emails often carry malware-laden Microsoft Office attachments or links to compromised external files.
The researchers noted that the phishing emails exploit various tactics to appear credible. This includes incorporating a fabricated email thread with lists of recipients and simulating responses from plausible yet fake accounts. This level of sophistication is indicative of tactics outlined in the MITRE ATT&CK framework, particularly regarding effective initial access strategies through phishing.
In addition to the previously mentioned RATs, there exists a commodity trojan for Android that allows attackers to intercept and manage call data and SMS messages, enhance remote administration capabilities, and even wipe devices. SentinelOne describes this tool as a highly efficient low-cost mobile surveillance system.
ModifiedElephant has remained largely undetected and unnoticed over the years, owing to its focused operations, the seemingly ordinary tools it employs, and its region-specific targeting. The implications of this ongoing threat extend beyond immediate cyber risks, raising alarms about the potential for state-sponsored surveillance and human rights abuses.
