According to one of his researchers, Tom Hegel, in his corporate blog, his objective
“is long-term surveillance that sometimes ends with the release of ‘evidence’ (files that incriminate the target of certain crimes) just before properly coordinated arrests are made.”
The company has baptized the aforementioned group with the name of ‘ModifiedElephant’ and attributes “a decade of persistent malicious activity” not directed indiscriminately or massively, but directed against specific individuals.
What is Pegasus and what does this massively used sophisticated Israeli espionage system do?
ModifiedElephant has apparently been able to operate for years without attracting the attention of the cybersecurity community due to the limited scope of its operations, uniquely regional focus, and use of “relatively small” tools. unsophisticated”.
The keylogging tool used was a small piece of software developed in Visual Basic in 2012, available on multiple online ‘warez’ forums.
Another SentinelOne researcher, Juan Andrés Guerrero-Saade (Threat Researcher at SentinelOne and Adjunct Professor at Johns Hopkins University) states on Twitter that if there is one thing that stands out about ModifiedElephant’s operations it is
“How mundane the mechanics of this operation are. […] There’s nothing technically impressive about this threat actor , but we’re still amazed at his audacity.”
They weren’t super hackers, but they have been implicated in highly controversial legal proceedings
This class of tools included phishing techniques used to sneak Trojans (such as NetWire and DarkComet) into them via email. Cyberpunk 2077 anticipates news in streaming; Date and Time. They started by attaching misleading files to their emails (they used files with a double extension, like filename.pdf.exe), but then, around 2015, they started using RAR files and documents from Office (ppt, doc, docx) with malicious macros.
As of 2020, there is a change in strategy: spread malware through** large compressed files** (about 300 MB), to evade antimalware scans of platforms cloud.
Once their targets were infected, ModifiedElephant members could open and use remote access to their systems, or monitor them using keyloggers (programs that remain in memory by recording keystrokes).
Someone has been managing hundreds of hacked Tor servers for four years to deanonymize users of this private network
A year ago, an American digital forensic firm, Arsenal Consulting, analyzed the involvement of activist Rona Wilson —charged under the Illegal Activities Prevention Act— in the controversial ‘Bhima Koregaon’ case, concluding that a An ‘unidentified actor’ had compromised her laptop 22 months earlier and had taken advantage of the access it gave him to monitor her and ‘plant’ incriminating documents on it.
“Arsenal has connected that same attacker to a significant malware infrastructure that has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer, but also to attack his co-defendants in the case Bhima Koregaon and defendants in other high-profile Indian cases.”
This discovery was the origin of the SentinelOne investigation which has now resulted in the discovery that this surveillance/manipulation plot had been active for several years before Arsenal Consulting suspected.
They have not been able to discover if ModifiedElephant is a mere group of private cybercriminals or if it is sponsored by some state actor, but they have detected that many of their victims had also been simultaneously victims of the plot of Pegasus espionage.