Surendra Gadling's Computer Was Attacked, Incriminating Documents Planted: Arsenal Consulting

Forensic digital investigations have raised serious questions about the Elgar Parishad investigation.

Mumbai: For over 20 months, lawyer and human rights defender Surendra Gadling’s computer was attacked and surveilled upon, and incriminating documents were planted on it. Gadling, one of the first people to be arrested among the 16 human rights activists, lawyers and academics in custody in the ongoing Elgar Parishad case, was cyber attacked since February 16, 2016 – two years before he was finally arrested on June 6, 2018. Fourteen significant documents, on the basis of which the National Investigation Agency (NIA) has held him in jail for over three years, were planted on his computer using a malware NetWire.

An explosive forensic investigation carried out by the Massachusetts-based digital forensics firm Arsenal Consulting, and broken first by NDTV and Washington Post, has revealed an eerie pattern of malware attacks carried out on his computer. This is the third report that the forensic firm has published in the past months. The first two reports – published on February 8, 2021 and March 27, 2021 – looked into the laptop of Rona Wilson, a prisoners’ rights activist, also arrested along with Gadling in the case. In the recent report, Mark Spencer, president of Arsenal Consulting, has concluded that the attacker in both Gadling and Wilson’s cases was identical.

Arsenal Consulting is a digital forensics consulting company set up in 2009 and has since engaged in several forensic investigations, ranging from intellectual property theft to evidence spoliation and support of terrorist organisations and military coup plotting.

The report, in a blow-by-blow account, has revealed that the attacker had made three particularly relevant attempts at compromising Gadling’s computer through emails. These emails, sent through sender ids known to Gadling – Harshal Lingayat (Gadling’s legal junior), Arun Ferreira (a co-accused in the case) and Prashant Rahi (convicted in another UAPA case) – contained identical malwares. The first two email attempts were made on February 12, 2016 and the next, six days later, on February 18. “Ultimately, on February 29, 2016 Mr. Gadling executed this malware,” the report points out.

The emails were tailor-made, with specific subject lines relating to Gadling’s work. For the email sent from the email id [email protected], which belongs to Harshal Lingayat, the subject line reads: reply of sharda kurme final draft. Similarly, the email from Ferreira’s id discusses ‘minutes of IAPL 13 Feb 2013’. IAPL stands for Indian Association of People’s Lawyers, a collective of lawyers which both Gadling and Ferreira are a part of. In the last supplementary chargesheet that the NIA filed in the case in October last year, the agency has called IAPL a “frontal outfit” of the banned CPI (Maoist) organisation.

Also read: Killing Him Softly With His Song: A Requiem for Father Stan Swamy

The email sent out from Rahi’s email id talked about Stan Swamy’s health condition and the need for some “urgent medical care following his recurrent high BP of late”. Father Stan Swamy, an 84-year-old Jesuit priest and tribal rights activist based in Jharkhand, died on July 5 after enduring inhuman treatment in Taloja Central Jail in the outskirts of Mumbai. Swamy was the 16th and oldest to be arrested in the Elgar Parishad case.

The email sent from Rahi’s email id was marked to a group of people including two co-accused, Sudha Bharadwaj and Stan Swamy. There is no clarity so far if Swamy and Bharadwaj had opened the email and if their computers too were attacked.

These emails, Arsenal has found, was sent through different email spoofing services. “The malware infrastructure is quite large and supported multiple campaigns (using malware such as NetWire and DarkComet) against many victims. Remnants of the infrastructure exist well beyond individual computers involved in the Bhima Koregaon case – for example, within email accounts and in logs retained by services abused by the attacker,” the forensic findings conclude.

The findings are grave as the implications are not restricted to only Gadling and Wilson but many others named or involved in the defence of those arrested in the Elgar Parishad case. These findings, when read along with the breakthrough investigations carried out by Toronto University’s ‘Citizen Lab’ and Amnesty International’s tech team in Berlin, reveals a nefarious hand that had worked to target human rights defenders across the country. While the Citizen Lab work focused on the ways Israeli surveillance firm NSO Group was used to plant their specially designed malware ‘Pegasus’ onto the mobile phones of many lawyers and activists, the Amnesty International report had revealed that similar attempts of digital spying were made through emails.

The attacker responsible for compromising Gadling’s computer, like in the case of Wilson, had extensive resources, including time, and “it is obvious that their primary goals were surveillance and incriminating document delivery”, the report has claimed.

In the report, Arsenal Consulting’s president Spencer has claimed that the attack on Gadling’s computer is one of the most serious cases involving evidence tampering that his organisation has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents on multiple defendants’ computers.

The signification revelations

Like Wilson, from Gadling’s laptop too the investigating agencies – first the Pune police and later the NIA – had claimed to have found 14 incriminating documents. These documents, according to the chargesheet, were email communications between Gadling and several other arrested persons in the case. Some letters were also purportedly written to “comrades” engaged in the underground armed activities in the central India region. These letters, among others, allegedly found from Gadling’s computer, were a crucial part of the larger ‘Urban Naxal’ propaganda launched against the arrested human right defenders in the case.

Arsenal has made a serious claim that “the 14 important documents were delivered to a hidden folder (named “Material”) on the tertiary volume of Gadling’s computer by NetWire and not by other means”. The hidden “Material” folder was created on December 4, 2016 and the attacker delivered documents to it between that day and October 22, 2017, the findings reveal.

Also read: There Is No Case. Release the Bhima Koregaon 16 and Compensate Them

The forensic investigation makes further detailed revelations of how files were lodged deep into the computer surreptitiously without Gadling finding out about the activities. The hidden “Material” folder, the investigation shows, was moved to the Windows volume (more specifically, the “Sumit” user’s Desktop folder) on Gadling’s computer as part of a larger movement on December 7, 2017 involving the “Pen Drive Backup 29-03-2015” folder. This activity, according to the findings, are consistent with a legitimate user moving a visible folder (“Pen Drive Backup 29-03-2015”) which, among many other folders and files, contained a hidden folder (“Material”) two levels deep that the user could not see and was thus not aware of.

According to the forensic findings, there is no evidence to show that these supposedly crucial documents were ever opened.

The recent report makes a very important connection with the findings made in the earlier report pertaining to Wilson’s computer. It states on July 22, 2017, both Gadling and Wilson’s computers were meddled with just 15 minutes apart. “July 22, 2017 is a particularly interesting day in the sense that the attacker was deploying documents to a hidden folder on Mr. Gadling’s co-defendant Rona Wilson’s computer approximately fifteen minutes prior to deploying documents to a hidden folder on Mr. Gadling’s computer,” the report claims. Besides the style of attack, one document too is identical in Gadling and Wilson’s cases, the finding confirms.

While it’s likely the Arsenal report will be put through thorough judicial scrutiny, for now it raises serious questions over the very foundation of the Elgar Parishad case. First the Pune police and later the NIA have claimed that the 16 persons were a part of the banned Maoist organisation.

The allegations have changed several times. First the police claimed that the accused were involved in the attack at Bhima Koregaon on January 1, 2018. Later the claim had shifted to an alleged “Rajiv Gandhi-style assassination plot against prime minister Narendra Modi” and finally the investigation claimed that they were all a part of underground Naxal movement. It has been over three years and the trial is yet to begin.

A day after Arsenal’s first report was published, the legal defence team in the Elgar Parishad case had moved the Bombay high court. The NIA, in its defence, had argued that since Arsenal Consulting did not have a “locus standi” in the case, its documents can’t be relied upon. Arsenal Consulting has played a significant role in cases in the US but the Indian agency is not willing to rely on the documents, claiming that the forensic study was not ordered by the court.

The surveillance patterns

Arsenal states it has found and decrypted partial NetWire malware logs from Gadling’s computer which covered 55 particular days between March 5, 2016 and October 22, 2017. NetWire logs are files used for surveillance purposes and contain keystrokes and other information related to the victim.

The activity captured in these partially recovered logs include Gadling browsing websites, submitting passwords, composing emails and editing documents. The attacker, according to the forensic team, has used a variety of tools beyond NetWire on Gadling’s computer. One of those “was WinSCP, which was used to synchronize Gadling’s files between his computer (and removable storage devices he attached to it) with the attacker’s C2 server”. The attacker’s hidden staging area for file synchronisation on Gadling’s computer was named “backup2015”, the investigation has revealed.

The three emails

The emails carrying malware that were sent to Gadling in February 2016 had “identical JavaScript malware attached”. They resulted in the installation of the NetWire remote access trojan (“RAT”) into Gadling’s laptop, the report has revealed.

Once Gadling had executed the malware on his computer on February 29, 2016, the JavaScript had first downloaded a self-extracting archive (“SFX”) named “wordbase.exe” from the attacker’s command and control (“C2”) server (at the IP address ). It was subsequently saved on Gadling’s computer – in the “Surendra” user account’s temporary folder) as “PBAroTwl.scr”.

Also read: ‘Surveillance on Rona Wilson Aggressive, Long Time Period Very Unusual’: Forensics Firm Head

The Arsenal findings further state that the JavaScript then executed “PBAroTwl.scr” in a hidden window, which not only unpacked the NetWire wrapper, scripts and a decoy document into the “Glarymap” folder on Gadling’s computer, but also auto-executed the script “basic.vbs” that in turn executed “list.bat”. The execution of “list.bat”, the forensic team states, “resulted in the display of a decoy document (“note.docx”), NetWire being launched, and the NetWire wrapper (“convex.exe”) being made persistent via the Windows Registry “Run” key”.

Reacting to the Arsenal Consulting’s findings, Gadling’s wife Minal told The Wire that while the findings are disturbing, she is not surprised. “Since the very beginning, we have maintained that all 16 persons are falsely implicated in the case and evidence has been planted against them. This report only strengthens our stand. We are just hoping that the courts take a serious note of this independent investigation and swiftly act upon it.”