For the past decade, unidentified miscreants have been planting incriminating evidence on the devices of human-rights advocates, lawyers, and academics in India to get them arrested.

That’s according to SentinelOne, which has named the crew ModifiedElephant and described the group’s techniques and targets since 2012 in a report published on Wednesday.

“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes – prior to conveniently coordinated arrests,” said Tom Hegel, threat researcher at SentinelOne, in a blog post.

Hegel said the group has operated for years without attracting the attention of the cybersecurity community because of its limited scope of operations, its regionally-specific targeting, and its relatively unsophisticated tools.

ModifiedElephant prefers phishing with malicious Microsoft Office attachments to attack targets, and infect them with Windows malware.

In 2013, its messages relied on executable file attachments with deceptive double extensions in the file name (eg filename.pdf.exe). After 2015, the group used .doc, .pps, .docx, .rar, and password protected .rar files. In 2019, its attack vector involved links to hosted malicious files, and the group is also said to have employed large .rar archives to avoid detection.

The gang was also observed throwing Android malware at victims.

“There’s something to be said about how mundane the mechanisms of this operation are,” said Juan Andrés Guerrero-Saade, threat researcher at SentinelOne and adjunct professor at Johns Hopkins SAIS, via Twitter. “The malware is either custom garbage or commodity garbage. There’s nothing technically impressive about this threat actor, instead we marvel at their audacity.”

Activist Rona Wilson is said to have been one of those targeted by ModifiedElephant. Wilson was arrested in 2018 with eight others in the Bhima Koregaon case, a violent clash between Hindu nationalists and Dalits. A year ago, Arsenal Consulting, a US-based digital forensics firm, reported that the evidence against Wilson had been planted.

“Arsenal’s analysis in this case has revealed that Rona Wilson’s computer was compromised for just over 22 months,” Arsenal Consulting said in its February 8, 2021 report. “The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

“Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well.”

One of the more serious pieces of evidence in this case – Ltr_1804_to_cc.pdf, which includes details of a purported assassination plot against Indian Prime Minister Narendra Modi, is said to have been placed on Wilson’s computer via a NetWire RAT remote session.

Wilson’s phone was also found to have NSO Group’s Pegasus spyware on it. He remains in jail, awaiting trial with others arrested at the time. He has been charged under India’s Unlawful Activities (Prevention) Act (UAPA), an anti-terror law that Amnesty International says, “violates several international human rights standards and circumvents fair trial guarantees.”

SentinelOne does not explicitly state that ModifiedElephant acts on behalf of the Indian government but notes how the group’s activities are consistent with the government’s interests.

“We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases,” wrote Hegel.

According to the report, ModifiedElephant’s web infrastructure overlaps with Operation Hangover, a surveillance effort dating back to 2013 against targets of interest to Indian national security. The security firm also said that Wilson had been targeted by a second threat group, known as SideWinder [PDF], which has attacked government, military, and private sector organizations across Asia.

Hegel observes that SentinelOne last year reported on a threat actor operating in and around Turkey, dubbed EGoManiac, that planted incriminating evidence on the devices of journalists to support arrests made by the Turkish National Police.

“Ultimately, this is research with real human cost,” said Guerrero-Saade. “Defendants remain in prison, with one having passed away recently. And there are more that haven’t been identified. We can only hope this brings further attention and collaboration to curb this behavior.” ®