Following SentinalOne’s February report revealing the threat actor, ModifiedElephant, as planting evidence on the Bhima Koregaon case victims’ devices, another investigation by Wired reveals that Pune Police allegedly had a part to play in planting said evidence.
Working with an unnamed security analyst at an unnamed email provider, SentinelOne learned that three of the victims’ email accounts compromised by hackers in 2018 and 2019 had a recovery email and phone number added as a backup. These backup credentials were changed to allow hackers to regain control of these three email accounts in case the passwords were changed.
Email accounts belonging to Wilson, Rao and Hany Babu had their backup credentials changed to another account including the full name of a Pune police official closely involved in the case.
In the case of Wilson’s email, the security analyst revealed that the email account received a phishing email in April 2018 and was later compromised by hackers using IP addresses that SentinalOne and Amnesty International had previously linked with ModifiedElephant at the same time as the email and phone numbers linked with Pune Police were added as recover contacts to the account.
Considering the emails used as a recovery method on the three hacked accounts and IP address activity, the three hacked accounts and Pune police can both be linked to the ModifiedElephant threat actor revealed in SentinalOne’s February report.
In the News: Is the new CERT-In directive doing more harm than good?
The analyst further reported that Wilson’s compromised account was then used to send out phishing emails to targets in the case for at least another two months before Wilson’s eventual arrest in June 2018.
To confirm the link between Pune Police and the hacked account, Wired worked with security researcher John Scott-Railton who found entries in an open-source database of Indian phone numbers and email addresses linking it to an email ending in [email protected], a suffix used by other email addresses for the Pune Police. The number was also linked to the same recovery address used on the compromised account belonging to the same Pune police official.
Scott-Railton further found that the Whatsapp profile photo for the recovery phone number added to the compromised accounts was a selfie of the police official, who seems to be the same officer present at police press conferences and in news photographs taken at the arrest of Varvara Rao.
Working separately, another security researcher Zeshan Aziz found the recovery email and phone number in a leaked TrueCaller database. Aziz further found the phone number linked to the police officer’s name in a leaked database from iimjobs.com, an Indian recruitment website, in addition to multiple archived web directories for Indian police, including the Pune police’s website.
In the News: New MaliBot Android malware can bypass multifactor authentication