17 December 2022

Hackers Planted Files to Frame an Indian Priest Who Died in Custody


THE CASE OF the Bhima Koregaon 16, in which hackers planted fake evidence on the computers of two Indian human rights activists that led to their arrest along with more than a dozen colleagues, has already become notorious worldwide. Now the tragedy and injustice of that case is coming further into focus: A forensics firm has found signs that the same hackers also planted evidence on the hard drive of another high-profile defendant in the case who later died in jail—as well as fresh clues that the hackers who fabricated that evidence were collaborating with the Pune City Police investigating him.

On Tuesday, Boston-based forensics firm Arsenal Consulting, which has been working on behalf of the defendants in the Bhima Koregaon case, released a new report revealing their analysis of the hard drive of Stan Swamy, perhaps the most famous of the 16 activists arrested in the case, all of whom have advocated for rights for Dalits—the Indian group once known as “untouchables"—as well as for Indian Muslims and indigenous people. Swamy, an 84-year-old Jesuit priest who suffered from Parkinson's disease, died in a hospital last year after being arrested in 2019 and contracting Covid-19 in jail. Arsenal has now found that evidence found on Swamy's computer was fabricated by the same hackers whom Arsenal found planting evidence on two other defendants in the case, Surendra Gadling and Rona Wilson.

Just as significant, Arsenal found new signs of the hackers' attempt to clean up their tampering and cover their tracks just a day before Swamy's computer was seized in 2019—a suggestion that the digital intruders likely knew the raid and seizure was coming and were cooperating with the Pune police who carried it out.

"It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered," Arsenal's report, authored by its president, Mark Spencer, reads. "The attacker responsible for compromising Swamy’s computer had extensive resources (including time), and it is obvious that their primary goals were surveillance and incriminating document delivery."

Mihir Desai, an attorney who represented Swamy and still represents two other Bhima Koregaon 16 defendants, described the new report as a significant win for their cause. “It reconfirms and reiterates the bogus nature of the evidence and casts a doubt on all arrests,” Desai says. He adds that the specific finding in the report that the hackers tried to erase their trail just before the seizure of Swamy's computer as evidence indicates that "someone from the investigating agency was fully aware as to what was happening.”

In its report, Arsenal points to a series of clues the hackers left on Swamy's computer, which the firm has been analyzing on behalf of the late priest's legal defense team since August of this year. The hackers, according to Arsenal's report, compromised Swamy's machine at least three times between 2014 and 2019, installing several different versions of a piece of malware known as NetWire. Based on artifacts in the computer's memory and disk storage, Arsenal found that the NetWire malware installed a series of files in a hidden folder on Swamy's computer, including one that listed weapons possessed by various units of a militant rebel group and another that seemed to suggest kidnapping members of India's ruling party, the BJP.

According to Arsenal, Swamy never touched the files himself. After his devices were seized by Pune City Police, those files were among the digital evidence used to charge him and the other Bhima Koregaon 16 defendants with terrorism as well as inciting a riot in 2018 that led to two deaths.

All of Arsenal's findings, the firm notes, match the earlier cases of evidence fabrication, seemingly carried out by the same hackers, that targeted the two defendants' machines that Arsenal examined earlier. "Arsenal has effectively caught the attacker red-handed (yet again)," the report adds.

On Swamy's computer, however, Arsenal also found something new: The hackers seem to have begun what Arsenal calls "antiforensics"—a clean-up operation–on June 11, 2019, deleting files that revealed its access to Swamy's machine in an apparent attempt to cover their tracks, just a day before Pune Police seized Swamy's computer on June 12 of that year. Arsenal describes that attempt at anti-forensics as "both unique and extremely suspicious given the computer's imminent seizure."

In other words, the hackers wanted to plant fake evidence that could be revealed to incriminate Swamy while also deleting actual evidence of their fabrications that might be discovered in legal proceedings, says Tom Hegel, a researcher for security firm Sentinel One. (Hegel and his colleague Juan Andres Guerrero‑Saade published their own findings on the Bhima Koregaon hacking cases this year.) Hegel argues the timing of that deletion, which he says displays a sloppy urgency, suggests the hackers somehow knew the seizure of Swamy's devices was coming, and after five years of stealthy access to his computer, scrambled to erase their fingerprints. "The timing and the rushed cleanup effort is, in my opinion, clear evidence of collusion between the police unit and the attackers at that point," Hegel says.

That cleanup is one of several signs that the hackers who targeted members of the Bhima Koregaon 16 may well have been working in league with the Pune City Police who arrested many of the defendants. Last June, Hegel and Guerrero‑Saade revealed to WIRED that an official in the Pune City Police appears to have added his own email address and phone number to several of the defendants' hacked email accounts, in some cases months before they were arrested, seemingly as a crude backup mechanism to try to maintain access to their accounts. “There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” Guerrero‑Saade told WIRED at the time.

Pune City Police officials declined to respond to WIRED's request for comment, both in June and in response to the new findings from Arsenal.

Of the 16 Bhima Koregaon defendants, 11 remain in jail. Three have been released on bail, and one has been confined to house arrest. But the case of Stan Swamy, the oldest of the defendants and the only one to die in detention, has taken perhaps the biggest spotlight: Human rights organizations and the US State Department have spoken out against Swamy's imprisonment, and he was posthumously awarded the Martin Ennals Award, sometimes described as the Nobel Prize for human rights defenders.

But Swamy was far from unique in being targeted by the hackers who sought to frame him. Based on the details of the malware and hacking infrastructure described in Arsenal's report, Hegel says that the hackers who broke into Swamy's computer, as well as those of the two other Bhima Koregaon defendants, are part of the group Sentinel One calls "Modified Elephant." Hegel and Guerrero‑Saade analyzed the group's code and command-and-control servers in a report they published in February that tied Modified Elephant to the targeting of hundreds of activists, journalists, and academics since as early as 2012.

"The links back to Modified Elephant are extremely obvious and verifiable," says Hegel. "It’s another confirmation, at least from the evidence we have so far, that the defendants in the Bhima Koregaon case have been framed." And it's becoming harder than ever to deny that the hackers who did that framing were in league with the very authorities who condemned Stan Swamy to spend the last months of his life in a jail cell.

No comments: