Amnesty International has linked an Indian cyber security firm with a campaign targeting a Togolese human rights activist with the help of fake Android applications and spyware-loaded emails, in an effort to put him under surveillance.
The human rights group tied the campaign to the “notorious Donot Team” hacking group. It said this was the first time the group’s spyware was found in attacks outside of South Asia.
Infecting Method and the Spyware’s Capability
The activist from West African country Togo is an essential voice for human rights in the country and has a history of working with civil society organizations. Hackers targeted their devices between December 2019 and January 2020.
The hackers launched persistent attacks over WhatsApp and email. They tried to trick the victim into installing a malicious application impersonating a secure chat application. They designed the malicious application to extract sensitive and personal information from the activist’s device.
The messages were sent from a WhatsApp account associated with an Indian phone number, registered in the state of Jammu & Kashmir. Upon installation, the app “ChatLite” grants permissions to a number of functionalities.
However, when the hacker’s attempt to use WhatsApp to install the spyware failed, they switched to an alternate method. They sent an email from a Google account that included a malware-infected Microsoft Word document. The malware “YTY framework” would grant complete access to the victim’s machine.
Amnesty’s press release said the “spyware would have enabled attackers to access the camera and microphone collect photos and files stored on the device, and even read encrypted WhatsApp messages as they are being sent and received.”
Speaking on the issue, Danna Ingleton, Deputy Director of Amnesty Tech said:
“Across the world, cyber-mercenaries are unscrupulously cashing in on the unlawful surveillance of human rights defenders.”
The link to Indian firm
Amnesty’s investigation discovered a trail of technical evidence left by the attackers. The trail helped establish a link between the attack infrastructure and Delhi-based Innefu Labs. The firm advertises digital security, data analytics, and predictive policing services to law enforcement and armed forces.
Amnesty said it discovered a domain (“server.authshieldserver.com”) that pointed to an IP address (122.160.158[.]3). The IP addressed belongs to Innefu.
However, Innefu Labs denied the “existence of any link whatsoever between Innefu Labs and the spyware tools associated with the Donot Team and the attack against the human rights activist in Togo. It further said that they are not aware of any use of their IP address for the alleged activities.
Amnesty admitted that there is no evidence to suggest Innefu Labs had direct involvement in the case but called on the Indian government to investigate.