Police in India Planted False and Incriminating Files on Activists' Computers to Arrest Them

UK's home secretary approves Assange's extradition to U.S., Russian spy tried to infiltrate International Criminal Court, Interpol arrests 2,000 social engineering scammers, more

Jun 17

people in yellow and red costume standing on gray asphalt road during daytime — Photo by Abhishek Koli on Unsplash

New clues discovered by SentinelOne researchers on a case in India connect law enforcement to a campaign that used identification and hacking tools to plant false, incriminating files on targets’ computers that they then used as grounds to arrest and jail them.

SentinelOne’s new findings link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, and center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018.

Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August, said, “This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.” (Andy Greenberg / Wired)

Rohini Singh @rohini_sgh

Possibly the most chilling story you would read. The state can fix you if it wishes by planting evidence & incarcerating you for years. Will this @PuneCityPolice official be arrested @CMOMaharashtra? Will an inquiry be ordered? Will the courts continue to remain mute spectators?

Andy Greenberg @a_greenberg

A wild, appalling story: A group of hackers fabricated evidence on the PCs of Indian human rights activists who were then arrested for terrorism and jailed. Now researchers have found a direct link between those hackers and the police making the arrests. https://t.co/y6HrCn580v

John Scott-Railton @jsrailton

OPSEC is only for people afraid of being caught. Wild story of evidence planted-via-hacking. By @a_greenberg, ft research by @AmnestyTech @ArsenalArmed @SentinelOne @juanandres_gs @0xZeshan @citizenlab & more. wired.com/story/modified…

Thomas Rid @RidT

Absolutely wild story that has it all: hacking, an extraordinary integrity attack, with forged and planted evidence, (ethical) leaking to help expose (unethical) law enforcement active measures — and hugely creative, collaborative threat hunting

Police Linked to Hacking Campaign to Frame Indian ActivistsNew details connect police in India to a plot to plant evidence on victims’ computers that led to their arrest.wired.com

Supriya Shrinate @SupriyaShrinate

Outrageous. After reports of hackers planted evidence in computers of activists now comes the chilling shocker-it was done at the behest of the police. How low can the Modi ecosystem stoop-is the big question. Why is this not being debated? Why is not creating public outrage?

Andy Greenberg @a_greenberg

The UK Home Secretary Priti Patel approved the extradition of WikiLeaks co-founder Julian Assange to the U.S., a decision the organization immediately said it would appeal against in the high court.

The U.S. government has accused Assange of conspiracy to commit computer intrusion by helping Army intelligence analyst Chelsea Manning gain access to privileged information. Wikileaks’ appeal of Patel’s decision is likely to focus on the right to freedom of expression and whether the extradition request is politically motivated. (Jamie Grierson and Ben Quinn / The Guardian)

The General Intelligence and Security Service of the Netherlands said that it foiled a sophisticated attempt by a Russian spy, Sergey Vladimirovich Cherkasov, using a false Brazilian identity to work as an intern at the International Criminal Court (ICC), which is investigating allegations of Russian war crimes in Ukraine.

“If the intelligence officer had succeeded in gaining access as an intern to the ICC, he would have been able to gather intelligence there and to look for (or recruit) sources, and arrange to have access to the ICC’s digital systems,” the Dutch agency said. In a statement about the failed bid to infiltrate the ICC, the Dutch intelligence agency said Cherkasov used “a well-constructed cover identity by which he concealed all his ties with Russia in general, and the GRU in particular.” The statement said he was an “illegal” agent “who received long and extensive training.” (Mike Corder / Associated Press)

Christo Grozev @christogrozev

Check out what we know thus far on one of the wackiest spy stories of the year. The fake "Brazilian" GRU spy who in 2017 tweeted a @bellingcat article about how to identify fake identities of GRU spies. It literally cannot get more meta than that.

Bellingcat @bellingcat

A GRU spy who sought to gain access to the International Criminal Court as an intern left a long and detailed trail on social media. https://t.co/1mqy5zZhPj

A sweeping operation by Interpol and police agencies worldwide called First Light 2022 led to the seizure of $50 million in illicit funds and the arrests of 2,000 alleged social engineering scammers from many different countries.

Police say they identified 3,000 different suspects, froze 4,000 bank accounts, and arrested “some 2,000 operators, fraudsters and money launderers” while conducting raids at 1,770 locations worldwide. Among the captured was a Chinese national who was wanted in connection to an enormous Ponzi scheme that police say involved some 24,000 victims and the theft of 34 million euros. (Lucas Ropek / Gizmodo)

Security researchers at Proofpoint are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management, and storage.

The attack's success relies on abusing the “AutoSave” feature that creates cloud backups of older file versions when users make edits. The trick to finishing the file locking stage quicker and making a recovery more difficult is to reduce the version numbering limit and encrypt all files more than that limit. Proofpoint informed Microsoft of the potential for abuse of the version numbering setting, but the tech giant maintains that this configuration ability is the intended functionality. (Bill Toulas / Bleeping Computer)

Microsoft Defender is now generally available for all personal devices, not just Windows PCs and businesses, extending Windows' anti-malware safeguards to Android, iOS, and macOS.

Defender for individuals is included with Microsoft 365 Personal and Family plans in most countries. Prices start at $70 per year for a Personal account in the US. (Jon Fingas / Engadget)

Approximately 1.29 million Texas Tech University Health Sciences Center patients have been added to the ongoing fallout from cloud-based, ophthalmology-specific electronic health record (EHR) and practice management vendor Eye Care Leaders’ (ECL) ransomware attack and data theft in December 2021.

The ECL incident compromised a range of patient data, including names, driver’s licenses, emails, genders, dates of birth, medical record numbers, health insurance details, appointment information, Social Security numbers, and medical data tied to services received at the TTUHSC ophthalmology center. (Jessica Davis / SC Media)

Related: Threatpost

Recorded Future’s Inst Group says that some Latin American countries may present as easy targets for ransomware attackers due to a general deficit of cyber resources, specifically education, hygiene, and overall infrastructure.

Anecdotal observations by Recorded Future reflect a “minor” but “sustained increase” in references to initial access sales and database leaks related to Latin American governments starting around March 2022. Between January and May 2022, ransomware attacks have been recorded in Costa Rica, Peru, Mexico, Ecuador, Brazil, and Argentina. (AJ Vicens / Cyberscoop)

Related: Recorded Future

Researchers at Volexity say that Chinese threat actors and various threat actors exploited a zero-day exploit for a critical-severity vulnerability in Sophos Firewall to bypass authentication and run arbitrary code remotely on multiple organizations.

Volexity detailed an attack from a Chinese advanced persistent threat group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos released a patch. The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Sophos identified hotfixes and mitigations that help organizations using its firewall protect against exploiting the vulnerability. (Ionut Ilascu / Bleeping Computer)

According to research from GlobalData, UK small businesses are increasingly being priced out of cyber insurance policies due to high premiums and the cost-of-living crunch.

Almost a third (29%) of companies with fewer than 250 staff canceled their cyber insurance policies last year to cut costs. An additional 17.3% of small and medium enterprises (SMEs) never had cyber insurance policies in the first place, with smaller businesses most likely to be uncovered. (Louis Goss / City A.M.)

Metacurity