Mumbai: Last week, a Massachusetts-based digital forensics firm, Arsenal Consulting, released a damning report which posed serious questions about the credibility of the letters that were allegedly found in the computer and other gadgets of arrested prisoners’ rights activist Rona Wilson.
The report said that a cyber attacker had gained access to Wilson’s computer at least 22 months before his arrest and at least 10 incriminating letters were placed on it through this attack. While Arsenal Consulting has not attributed the attack to any particular entity, in its report they have stated that the attacker responsible for compromising Wilson’s laptop had extensive resources including time and it is obvious that their primary goals were surveillance and incriminating document delivery.
Arsenal Consulting’s director Mark Spencer discussed the findings and his impression of the attack in detail in an interview with The Wire.
Is the Elgar Parishad case the first from the Indian subcontinent that your team has investigated? Were you aware of the case? What was your initial thought when you were approached by the defence team from India?
Yes, this is our first case in India. I was not aware of the case before we were contacted about possibly reviewing electronic evidence. I was initially sceptical (we are very sceptical people at Arsenal) about the possibility of evidence tampering in such a high-profile case.
The data allegedly extracted from Rona Wilson’s laptop runs into several terabytes. Also, it was sent across from across continents. What were the challenges faced in running this investigation?
The data from Rona Wilson’s laptop alone does not run into the terabytes, but the volume of data we have received related to Rona Wilson’s laptop, his other devices, and others does run into the terabytes. We did not have any challenges in terms of receiving the electronic evidence in this case – the defence team would send it to the American Bar Association (acting as a liaison) on hard drives (which contained forensic images and other data), the American Bar Association would send the hard drives to us, we would take those hard drives into our custody, and we would verify the forensic images were intact by verifying “hash values” also known as digital fingerprints.
For example, we verified that the hash values calculated when the forensic images of Rona Wilson’s laptop and thumb drive (relevant to the report I) were originally obtained (and stored both inside and outside the forensic images) matched the hash values we calculated after receiving the hard drive they were on.
In one of the interviews with an Indian news channel, you mentioned this was a case of “aggressive surveillance”. How often have your team come across a case of this magnitude?
We refer to what happened to Rona Wilson’s computer as “aggressive surveillance” because of the combination of time (approximately 22 months) and the types of surveillance – NetWire key logging, synchronisation of files from his computer, and synchronisation of files from his removable storage devices.
Your findings state that Rona Wilson’s laptop had been infected for over 22 months. Isn’t this a shockingly long time spent in targeting an individual? How often have you come across such concerted efforts for such a long duration?
Targeting an individual over a long period of time is not necessarily unusual in terms of surveillance, but delivering incriminating documents (and other files) to an individual over a long period of time is very unusual. We have never seen or even heard of this before.
Is your team also studying digital evidence allegedly gathered from other accused persons’ laptop/ computer?
‘Netwire’ used to infect Wilson’s laptop is apparently easily available. How commonly is it used in such surveillance attacks? How easy/ difficult is it to detect it?
NetWire can be deployed in many different ways. If an attacker is willing to put time into customising a NetWire “wrapper” and being creative about how it is deployed, the chances of successful deployment increase.
Around the time that the human rights defenders were arrested, several other lawyers and rights activists faced digital attacks through WhatsApp (spyware Pegasus produced by an Israeli surveillance firm NSO group) and a separate well-coordinated email attack.
While the NSO group has claimed that the spyware was only sold to government agencies, both Gmail and Yahoomail (used to send malware) had warned India-based targets that they may have been the victims of a snooping attempt by “government-backed actors”. In this background, do you see any similarities—the nature of the attack, timing, profiles of those affected—in these attacks?
We will hold off on commenting on this for now.
How similar is this attack to the one faced by Odatv journalists Barış Pehlivan and Müyesser Yıldız? (Odatv is a Turkish online news portal)
It’s important to understand first that Barış Pehlivan and Müyesser Yıldız’s computers were compromised much differently from each other. Generally speaking though, the attacks in these cases are similar in that they involved very customised targeting of individuals, delivery of incriminating documents, and some level of effort to prevent the individuals from stumbling across the delivered documents. At a more granular level, the attacks in these cases are different in many ways.