According to the researchers at SentinelOne, threat groups whose goal is to plant fake evidence use to arrest journalists and opposition leaders is wildly underreported. It brings into question how digital evidence is handled, tracked, and verified. Although SentinelOne had previously identified a group in Turkey (Tracked as EGoManiac) that was performing this type of operation, they found another instance that they were able to dig into.
In this case the incident was related to political unrest in India. Here they found that some of the evidence of terrorism used in the case were planted as part of a system intrusion by an unknown group. The investigation led to the discovery of a campaign that has been in operation for at least 10-years. The malicious activity has been able to evade detection and research due to their techniques, tools in use, and their limited scope. This does not mean that the impact of their operations is limited.
The group, tracked as ModifiedElephant, tends to use phishing emails to target “Activists, human rights defenders, journalists, academics, and law professionals in India” The phishing attempts typically are emails related to topics that align with the target’s interests. The communications either contained a poisoned attachment or embedded links to files that were hosted externally. The group was very persistent in its attempts to compromise their targets often targeting the same individual multiple times in a day. They went to great lengths top make their phishing emails look legitimate, including having relevant content in the body and creating a forwarding history.
Unlike financially motivated threat groups, ModifiedElephant was observed using more common and mundane malware during their campaigns. Tools such as NetWire and DarkComet Remote Access Trojans were commonly used for both monitoring and tracking as well as to plant the falsified evidence on target systems. Other tools used include simple keyloggers and an unidentified Android Trojan that may have been borrowed for use by ModifiedElephant as the capabilities found in it seem to indicate it was designed for other activities.
The identification and tracking of groups like this (ones focused on planting evidence to support arrest and imprisonment) is an important task for security research groups. It shows the length as government can go to when it is looking to remove opposing voices, or persons they feel are threats to their power. This also shows that there needs to be more effort put into confirming the validity of digital evidence before, during and after investigations. Simply taking items identified on a device as legitimate is not the right direction to go especially as more and more people put their trust in large corporate services like Microsoft’s Onedrive, Google Drive, Apple’s iCloud, Boxx, DropBox, and many others. All these services can be compromised, with files planted in them as well as planting files and other evidence on laptops, desktops, and phones. It is more than a bit frightening to imagine this type of attack being used against you, perhaps simply because your views challenge the predominate views in a ruling body.