Original article here.
NEW DELHI — An unknown hacker planted more than 30 documents that investigators deemed incriminating on a laptop belonging to an Indian activist accused of terrorism, a new forensic analysis finds, indicating a more extensive use of malicious software than previously revealed.
The report will heighten concerns about the controversial prosecution of a group of government critics under Prime Minister Narendra Modi.
Arsenal Consulting, a Massachusetts-based digital forensics firm, examined an electronic copy of the laptop at the request of defense lawyers. The Washington Post reviewed a copy of the report.
A previous analysis by Arsenal, which The Washington Post reported in February, found that 10 letters had been deposited on the laptop, including one that discussed an alleged plot to assassinate Modi. The latest report by Arsenal finds that 22 additional documents were also delivered to the computer by the same attacker.
The documents — now totaling 32 — have been cited by law enforcement as evidence against a group of activists accused of working with a banned Maoist militant group that has waged a decades-old insurgency against the Indian state.
Known as the Bhima Koregaon case, the prosecution is considered a bellwether for the rule of law in India. Human rights groups and legal experts view the case as an effort by the government to clamp down on critics.
The activists accused in the case deny the charges against them. They include a prominent academic, a labor lawyer, a leftist poet, a Jesuit priest and two singers. All are advocates for the rights of the country’s most disadvantaged communities and vocal opponents of the ruling party. Many of them have been jailed for nearly three years as they await trial.
The two reports by Arsenal focus on a laptop belonging to Rona Wilson, a Delhi-based activist. In February, lawyers for Wilson submitted the first report to a court in Mumbai and urged the judges to dismiss the charges against their client. The court is expected to hold a hearing on the petition.
Jaya Roy, a spokeswoman for the National Investigation Agency (NIA), the anti-terrorism authority overseeing the case against the activists, said an analysis by a government forensic laboratory did not indicate that the laptop had been compromised by malware. She did not provide details on how the laboratory reached that conclusion.
“Our investigation is complete,” Roy said. The NIA cannot revisit “any evidence based on a private lab’s report.”
The Washington Post asked three experts on malware and digital forensics in North America to review Arsenal’s initial report, and they found its findings valid. A fourth expert reviewed both reports and said the conclusions were sound.
In its latest report, Arsenal includes data it recovered from the laptop showing the attacker typing commands to deliver documents to a hidden folder. It’s the equivalent of a “videotape of someone committing the crime,” said Mark Spencer, Arsenal’s president.
Arsenal has so far conducted its work on the reports on a pro bono basis, Spencer said. Founded in 2009, Arsenal performs computer forensic analysis for companies, law firms and government agencies, and it has provided expert testimony in cases such as the Boston Marathon bombing.
In the Indian case, an attacker used NetWire, a commercially available form of malware, to compromise Wilson’s laptop for nearly two years starting in 2016, Arsenal said.
The latest report shows that 22 additional documents were placed in a hidden folder on Wilson’s computer. They include details of purported meetings of Maoist militants, alleged correspondence with Maoist leaders and details of funds received by the banned group.
Two other files were stored in a folder on the Windows drive of the laptop. Unlike the other 22 files, Arsenal could not confirm they were delivered specifically by NetWire. But it found no evidence of any legitimate interaction with the documents and called their location in an unrelated application folder “suspicious.”
Arsenal’s “step-by-step” explanation of how the 22 documents were delivered is very clear and experts in the field “would draw all the same conclusions” based on that data, said Kevin Ripa, president of the Grayson Group of Companies and an expert in digital forensics.
The compromising of Wilson’s computer was just one element of a larger malware campaign. The same attacker also targeted his co-defendants, Arsenal said. Eight people seeking to help the activists, too, received emails with malicious links that deployed NetWire, according to a report from Amnesty International.
Several of the same domain names and Internet protocol addresses were used to target both the activists and their associates.
Most of the IP addresses are assigned to HostSailor, a web-hosting and virtual private server company whose website indicates it is based in the United Arab Emirates. HostSailor declined to respond to requests for comment on whether it was aware of the reports or had taken any action in response to them.
The case against the activists has its origins in a clash that unfolded on Jan. 1, 2018, in a village known as Bhima Koregaon following a memorial event celebrated by Dalits, who occupy the lowest rung in India’s caste hierarchy. The investigation into the violence, which left one dead, rapidly expanded into a wider probe of conspiracy against the Indian state.
The authorities alleged that the clash was linked to the Communist Party of India (Maoist), a banned militant group based primarily in the forests of central India. Earlier this month, 22 security personnel were killed in an apparent ambush by militants, the worst such incident in nearly four years.
The most recent activist to be jailed in the Bhima Koregaon case is an 83-year-old Jesuit priest named Stan Swamy. He is the oldest person in India to be arrested on terrorism charges. Swamy suffers from Parkinson’s disease and requires help to bathe and write letters, said Joseph Xavier, a priest and close friend. Swamy has spent more than six months in jail during the coronavirus pandemic.
Swamy lives in Jharkhand, one of the poorest states in India, where he works for the rights of Indigenous tribal communities. He has spearheaded campaigns challenging the acquisition of tribal land and the detentions of tribal youths on flimsy or no evidence. In a video recorded before he was arrested, Swamy said he and other activists were being targeted because they had “expressed their dissent or raised questions” about India’s ruling party.
On a recent phone call from jail, Swamy’s chief concern was the well-being of his colleagues and the organization he ran, Xavier said. Even in moments of hardship or pain, Swamy “will not complain,” his friend said. “That is the kind of person he is.”