Quick post to summarize happenings in the world of 'APTs fabricating evidence to throw people in jail':

This week a new report was released by Arsenal Consulting related to pro bono forensic work they’ve done for defendants in the Bhima Koregaon (aka BK16) case in India. In this report, we’ve learned that a second defendant in the case was framed. The digital evidence of their crimes (domestic terrorism) were documents planted by #malware – specifically a variety of NetWire RAT samples. This framed individual (Stan Swamy) died while incarcerated – he was an 84 year old priest.

@agreenberg at Wired wrote about this news here (definitely read!): https://www.wired.com/story/modified-elephant-stan-swamy-hacked-evidence-frame-bhima-koregaon-16/

Now this confirmation of evidence planting is simply not that surprising to us. Another defendant in the case (Rona Wilson) was confirmed to have evidence planted as well – and we’ve had confidence the same is done to many others. In addition to these two individuals, we know this same threat actor targeted many more individuals – including those not involved in this case at all. This threat actor is working in collusion with the Indian government, plain and simple.

We named this threat actor #ModifiedElephant after profiling an extensive cluster of infrastructure and malware. The IOCs we released are tied to the decade+ life of the group so far.

PDF Report: https://s1.ai/mod-elephant

@jags and I did a BlackHat talk on this actor - a good overview on how they operate: https://youtu.be/zGorOeQS5C8

So, what’s next? The threat actor remains a focus of mine, and new research is ongoing. I hope to have more to share publicly soon. #StayTuned #BestJobIEverHad

Quick post to summarize happenings in the world of 'APTs fabricating evidence to throw people in jail':

This week a new report was released by Arsenal Consulting related to pro bono forensic work they’ve done for defendants in the Bhima Koregaon (aka BK16) case in India. In this report, we’ve learned that a second defendant in the case was framed. The digital evidence of their crimes (domestic terrorism) were documents planted by #malware – specifically a variety of NetWire RAT samples. This framed individual (Stan Swamy) died while incarcerated – he was an 84 year old priest.

@agreenberg at Wired wrote about this news here (definitely read!): https://www.wired.com/story/modified-elephant-stan-swamy-hacked-evidence-frame-bhima-koregaon-16/

Now this confirmation of evidence planting is simply not that surprising to us. Another defendant in the case (Rona Wilson) was confirmed to have evidence planted as well – and we’ve had confidence the same is done to many others. In addition to these two individuals, we know this same threat actor targeted many more individuals – including those not involved in this case at all. This threat actor is working in collusion with the Indian government, plain and simple.

We named this threat actor #ModifiedElephant after profiling an extensive cluster of infrastructure and malware. The IOCs we released are tied to the decade+ life of the group so far.

PDF Report: https://s1.ai/mod-elephant

@jags and I did a BlackHat talk on this actor - a good overview on how they operate: https://youtu.be/zGorOeQS5C8

So, what’s next? The threat actor remains a focus of mine, and new research is ongoing. I hope to have more to share publicly soon. #StayTuned #BestJobIEverHad

For me, watching Unforgiven is like watching the news, A Time To Kill is what is what I do for work (#bestjobieverhad), and Dark City is what the rest of life feels like. #movies