Posts Tagged ‘malware’

“Advanced persistent threat” group targeted Indian human rights defenders for decade

February 14, 2022
. (“National Flag of India” by Sanyam Bahga is licensed under CC BY-SA 2.0)

Two years ago it was reported that an Indian “hack-for-hire group” had targeted journalists and human rights defenders [see:], but on 11 February 2022 Steve Zurier in SC Magazine reported that researchers discovered an advanced persistent threat group that targeted Indian dissidents and remained undetected for a decade or more, starting with simple phishing lures some 10 years ago and then graduating to providing links to files hosted externally in the cloud for manual download and execution by the victims.

In a blog post, SentinelLabs researchers reported on ModifiedElephant, which has been operating since at least 2012. The researchers said the threat group operates through the use of commercially available remote access trojans and has ties to the commercial surveillance industry.

The threat actor uses spearphishing with malicious documents to deliver malware such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that helped the researchers connect the dots to previously unattributed malicious activity.

ModifiedElephant’s activities have been traced to long-standing political tensions in India, which exploded on Jan. 1, 2018, when critics of the government clashed with pro-government supporters near Bhima Koregaon. Later in 2018, raids conducted by police led to several arrests and the seizure of computer systems, which revealed incriminating files that pointed to an alleged plot against Indian Prime Minister Narendra Modi.

Thanks to the public release of digital forensic investigation results by Arsenal Consulting and those detailed in SentinelLabs blog, the researchers allege that ModifiedElephant compromised the computers that were later seized, planting files that were used as evidence to justify the imprisonment of the defendants. Over a decade or more, the group targeted human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence — and they are still operating today.

The case has become part of a larger trend of private and commercial company’s copying government and nation-state methodologies, persistently looking to penetrate into politically involved individuals, said Gadi Naveh, cyber data scientist at Canonic. Naveh said although most of the tools described aren’t top grade, continuous fueling of the attack eventually gets the target and larger funding gets even better tools, as was implied by Amnesty International.

“We assume these tools and methods that move from nation-states to commercial organizations will keep answering the demand and available funds for getting data,” Naveh said. “The move of data to the cloud makes the top-tier actor act there, but as with RATs and keyloggers, we are seeing the same military-grade tools moving after the new data sources in the cloud.”

Daniel Almendros, cyber threat intelligence analyst at Digital Shadows, added that he and his team view ModifiedElephant as a fascinating, albeit dangerous actor. Almendros said ModifiedElephant has a wide range of tools in its arsenal that it uses to target a large number of victims. They use a blend of off-the- shelf tools (NetWire and DarkComet  RATs), paired with spearphishing emails related to the sensitive 2018 Bhima Koregaon affair.

“The phishing lures have improved in subtlety as well as boldness, they have shifted from fake double extension file names to commonly used Office filenames,” Almendros said. “In one instance, an assassination attempt story was added to provoke the user to click on the phishing lure. These emails were distributed to many different users. The group likely has a connection with Indian state espionage. Because most APT attention stems from China and Russia-based threats, ModifiedElephant was initially overlooked for years. In addition, the group’s specific targeting and use of commodity malware helped the group evade detection for a prolonged period.”

US Court says Facebook can pursue lawsuit against NSO Group

November 10, 2021

On 8 November 2021 media (here Reuters) reported that a U.S. appeals court said Facebook can pursue a lawsuit accusing Israel’s NSO Group of exploiting a bug in its WhatsApp messaging app to install malware allowing the surveillance of 1,400 people, including journalists, human rights activists and dissidents. In a 3-0 decision on Monday, the 9th U.S. Circuit Court of Appeals in San Francisco rejected privately owned NSO’s claim it was immune from being sued because it had acted as a foreign government agent. See also:

Facebook, now known as Meta Platforms Inc, sued NSO for an injunction and damages in October 2019, accusing it of accessing WhatsApp servers without permission six months earlier to install its Pegasus malware on victims’ mobile devices. NSO has argued that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security.

It was appealing a trial judge’s July 2020 refusal to award it “conduct-based immunity,” a common law doctrine protecting foreign officials acting in their official capacity. Upholding that ruling, Circuit Judge Danielle Forrest said it was an “easy case” because NSO’s mere licensing of Pegasus and offering technical support did not shield it from liability under federal law, which took precedence over common law.

Whatever NSO’s government customers do with its technology and services does not render NSO an ‘agency or instrumentality of a foreign state,'” Forrest wrote. “Thus, NSO is not entitled to the protection of foreign sovereign immunity.”

The case will return to U.S. District Judge Phyllis Hamilton in Oakland, California.

Asked for comment on the decision, NSO said in an email that its technology helps defend the public against serious crime and terrorism, and that it “stands undeterred in its mission.”

WhatsApp spokesman Joshua Breckman in an email called the decision “an important step in holding NSO accountable for its attacks against journalists, human rights defenders and government leaders.”

Facebook’s case drew support from Microsoft Corp (MSFT.O), Alphabet Inc’s (GOOGL.O) Google and Cisco Systems Corp (CSCO.O), which in a court filing called surveillance technology such as Pegasus “powerful, and dangerous.”

On Nov. 3, the U.S. government blacklisted NSO and Israel’s Candiru for allegedly providing spyware to governments that used it to “maliciously target” journalists, activists and others. See also:

NSO accused of largest attack on civil society through its spyware

October 30, 2019
I blogged about the spyware firm NSO before [see e.g.], but now WhatsApp has joined the critics with a lawsuit.

On May 13th, WhatsApp announced that it had discovered the vulnerability. In a statement, the company said that the spyware appeared to be the work of a commercial entity, but it did not identify the perpetrator by name. WhatsApp patched the vulnerability and, as part of its investigation, identified more than fourteen hundred phone numbers that the malware had targeted. In most cases, WhatsApp had no idea whom the numbers belonged to, because of the company’s privacy and data-retention rules. So WhatsApp gave the list of phone numbers to the Citizen Lab, a research laboratory at the University of Toronto’s Munk School of Global Affairs, where a team of cyber experts tried to determine whether any of the numbers belonged to civil-society members.

On Tuesday 29 October 2019, WhatsApp took the extraordinary step of announcing that it had traced the malware back to NSO Group, a spyware-maker based in Israel, and filed a lawsuit against the company—and also its parent, Q Cyber Technologies—in a Northern California court, accusing it of “unlawful access and use” of WhatsApp computers. According to the lawsuit, NSO Group developed the malware in order to access messages and other communications after they were decrypted on targeted devices, allowing intruders to bypass WhatsApp’s encryption.

NSO Group said in a statement in response to the lawsuit, “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists.” In September, NSO Group announced the appointment of new, high-profile advisers, including Tom Ridge, the first U.S. Secretary of Homeland Security, in an effort to improve its global image.

In a statement to its users on Tuesday, WhatsApp said, “There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world. Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders.”

John Scott-Railton, a senior researcher at the Citizen Lab, said, “It is the largest attack on civil society that we know of using this kind of vulnerability.”