California-based cyber security firm Sentinel Labs has found that two hacking entities — at least one of which “aligns sharply with Indian state interests” — spied on Delhi-based prison rights activist Rona Wilson who is in jail awaiting trial in the Elgaar Parishad-Maoist links case.
Last year, another US-based data forensics firm, Arsenal Consulting, had said that devices of two Elgaar accused — Wilson and Nagpur lawyer Surendra Gadling — had had “evidence” planted on them via the Pegasus spyware. The New York Times recently reported that Israeli firm NSO had sold Pegasus to the Indian government — a claim the Centre has neither confirmed nor denied.
The National Investigation Agency (NIA), which is probing the case, has rejected the Arsenal Consulting findings.
The latest report by Sentinel Labs, titled “ModifiedElephant APT and a decade of fabricating evidence”, says the two Advanced Persistent Threats (APTs) or hacking entities it has identified had targeted Wilson from before the BJP came to power at the Centre.
“Amnesty International identified NSO Group’s Pegasus being used in targeted attacks in 2019 against human rights defenders related to the Bhima Koregaon (Elgaar) case. Additionally, the Bhima Koregaon case defendant Rona Wilson’s iPhone was targeted with Pegasus since 2017 based on a digital forensics analysis of an iTunes backup found in the forensic disk images analysed by Arsenal Consulting,” the report says.
“Between February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be attributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow. SideWinder is a threat actor targeting government, military, and business entities primarily throughout Asia.”
The report adds: “ModifiedElephant phishing email payloads share infrastructure overlaps with Operation Hangover. Operation Hangover includes surveillance efforts against targets of interest to Indian national security, both foreign and domestic, in addition to industrial espionage efforts against organisations around the world.”
It concludes: “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically charged cases…. Bhima Koregaon case has offered a revealing perspective into the world of a threat actor willing to place significant time and resources into seeking the disruption of those with opposing views.”
Sentinel Labs has drawn parallels with a hacking entity called EgoManiac, which it claims was linked to the Turkish government, based on its own study of last September that found the “planting (of) incriminating evidence on the systems of journalists to justify arrests by the Turkish National Police”.
“Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” Sentinel Labs has said.
The Sentinel Labs report does not name other targets of ModifiedElephant or say whether they were successfully hacked. It, however, says that hundreds of “activists, human rights defenders, journalists, academics, and law professionals in India” were targeted and they include several Elgaar accused.
The NIA and the Centre did not respond to emails from this newspaper seeking comment on the Sentinel Labs report.
The Supreme Court authorised a panel to look into the Pegasus controversy in India after allegations that the phones of several politicians, journalists and at least one judge were on a list of potential targets to be hacked. Private analyses have shown that some of the phones were indeed hacked.
In 2019, Pakistan had alleged surveillance of its government establishments through SideWinder and blamed India.
Over the last four years, 16 people were arrested in the Elgaar case, which relates to alleged Maoist links and caste violence following an Ambedkarite event.
The oldest, Ranchi-based Jesuit priest and tribal rights activist Stan Swamy, 84, died of post-Covid complications last July while awaiting bail. Two of the accused are out on bail.
Earlier this week, several Opposition MPs wrote to Prime Minister Narendra Modi demanding the release of the jailed Elgaar accused in the light of the NYT report.