Mumbai: For at least 22 months before the Pune Police had raided activist Rona Wilson’s residence in New Delhi and arrested him, a cyber attacker had allegedly gained access to his laptop and planted at least 10 incriminating letters on it.
A report from a Massachusetts-based digital forensics firm, Arsenal Consulting, has posed serious questions about the credibility of the letters that the investigating agencies have used to implicate Wilson and 15 other rights activists arrested in the ongoing Elgar Parishad case of 2018. The firm was approached by Wilson’s defence team to examine the electronic evidence on July 31 last year.
The case, initially investigated by the local Pune police, was handed over to the National Investigation Agency in January 2020, soon after the Bharatiya Janata Party government fell in Maharashtra and a tri-party alliance government – comprising the Shiv Sena, Nationalist Congress Party and Congress – took over.
The report released by Arsenal Consulting gains significance as the investigation agency’s case is solely dependent on the “evidence” they claimed to have seized from arrested persons, including from Wilson’s computer.
“The attacker responsible for compromising Wilson’s laptop had extensive resources including time and it is obvious that their primary goals were surveillance and incriminating document delivery,” the report states.
In a statement issued on Twitter, The US-based digital forensics firm’s president Mark Spencer said that his team worked ‘relentlessly’ on the “massive volume of electronic data provided to us in the Bhima Koregaon case”. He said the team has set an “extremely high bar for the practice of digital forensics in the future”.
— Arsenal Consulting (@ArsenalArmed) February 10, 2021
Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years, to not only attack and compromise Wilson’s computer for 22 months, but to attack his co-defendants and in other high-profile Indian cases too.
The report says, “It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents.”
The case was built on the letters purportedly written by Wilson, and another arrested person Surendra Gadling, a celebrated criminal lawyer from Nagpur. In all, 13 letters were allegedly found on their computers which implicated other accused persons like advocate Sudha Bharadwaj, academic Anand Teltumbde, poet Varavara Rao and others.
According to Arsenal’s report, just a few hours before Wilson’s house was raided on April 17, 2018, his computer was tampered with. The report shows that the last changes were made to his computer at 4:50 pm on April 16, 2018 and the very next day at 6 am, a team of the local Pune police, including then investigating officer Shivaji Pawar, had visited Wilson’s house in Munirka, New Delhi to carry out a raid.
According to the findings submitted by Arsenal Consulting, which have now been used as a base to file a petition seeking a special investigation into the case, 80-year-old Varavara Rao’s email ID was used to compromise Wilson’s laptop. “Mr. Wilson’s computer was compromised on June 13, 2016 after a series of suspicious emails with someone using VaraVara Rao’s email account. Rao is one of Mr. Wilson’s co-defendants in the case,” the report reads.
A similar email was sent to at least one other person, Nihalsing Rathod, who is a defence lawyer in the case. Rathod has been the target of at least two other cyber attacks, which also singled-out lawyers, activists, journalists and rights defenders.
Rathod was targeted using the Pegasus spyware, which exploited the video call feature in WhatsApp to install malware on a person’s phone. As The Wire reported in October 2019, there seemed to be a clear pattern of anti-caste activists being targeted, including those connected to the Elgar Parishad case.
In another instance, Rathod was among those who were the target of a digital attack through emails, as The Wire had reported in December 2019. These emails were tailor-made to suit the interests of the individual receiver and were sent out between September and October 2019. The emails contained malware, which when installed, gives the attacker “full visibility and control”.
In a piece published on December 21, 2019, The Wire pointed out several anomalies in the digital evidence that the police claimed to have found on Wilson’s computer.
The Elgar Parishad case has seen several turns and twists, with every new chargesheet making new claims. The case had first begun with allegations that a group of “Urban Naxals” were planning a “Rajiv Gandhi style assassination” of Prime Minister Narendra Modi. This explosive claim was made by the Pune police soon after five persons – Wilson, Gadling, academic Shoma Sen, activist Sudhir Dhawale and activist Mahesh Raut – were arrested on June 6, 2018.
While the police claimed that the information allegedly plotting Modi’s assassination was found on Wilson’s laptop (that was seized in a raid carried out on April 17), no arrests were made in the case until June 6. This discrepancy has been questioned by the defence several times in their arguments.
Explaining the exact way in which Wilson’s computer was compromised, the Arsenal report states that Rao’s email had an attachment and Wilson was tricked into opening it. The email was sent at 3:07 pm on June 13, 2016 and Wilson had opened it within hours. At 6:16 pm, Wilson had responded to the email stating he was able to “open the attachment”. That is the point when his computer had been compromised, the report states.
“Opening the document (a decoy within a RAR archive file named “another victory.rar”- see image 2) was part of a chain of events which led to the installation of the NetWire remote access Trojan (“RAT”) on Wilson’s computer,” Arsenal Consulting’s investigations have found.
While Wilson thought he was opening a link to Dropbox through that email, the email had through Netwire malware compromised his laptop. “Arsenal developed internal tools during the course of our analysis which allowed us to search for and decrypt NetWire logs anywhere on Mr. Wilson’s computer,” the report explains. Arsenal was able to recover a combination of complete and partial NetWire logs from 57 particular days between late 2016 and April 17, 2018, the day Wilson’s computer was seized. The activity captured in these logs included Wilson’s browsing websites, submitting passwords, composing emails, and editing documents.” it says.
‘Malware can be procured easily’
The report says that NetWire malware can easily be procured, for mere $10 and the Netherlands-based company also provides an easy guide to use the malware.
Netwire is a popular multi-platform remote access Trojan system. The NetWire system can be obtained by attackers through a variety of ways, one of which is to purchase it from World Wired Labs. Arsenal’s investigation states that “NetWire is quite powerful and has been under ongoing development for many years”. The report says that the version updates can be dated back to at least June 2013. In addition to remote control features which include uploading and downloading filed, NetWire offers more insidious features such as proxy chaining (making the identification of attackers more difficult), “stealth” screenshots, keylogging and password “recovery”.
Another crucial finding says that Wilson had WinRAR v3.70 – an archive manager which can compress and decompress files – installed on his laptop. The attacker, however, would temporarily deploy WinRAR v4.20 during their file deliveries. These transactions, Arsenal’s investigation states, showed the attacker delivering “OPSEC_notes.docx” and finally deleting “OPSEC_notes.rar” and Adobe.exe.
Arsenal’s findings claim that there is no evidence found among the “top ten most important” documents (that were sent to them for analysis) were “ever interacted with in any legitimate way on Mr. Wilson’s computer”.
“More particularly, there is no evidence which would suggest any of the top ten documents, or the hidden folder they were contained in, were ever opened,” one of the findings states. If true, this finding raises a crucial point as it suggests that Wilson was unaware during these 22 months that his laptop had been compromised or about the attack that he was subjected to.
The incriminating documents, Arsenal’s finding states, were sent to Wilson’s computer through “hidden files”. Describing how the malware was installed on Wilson’s laptop, the report says, the report says that first a folder named “kbackup” was created on November 3, 2016 at 00:10:07 and within minutes, it was changed to “Rbackup” at 00:40:24. The “Rbackup” folder was then set to “hidden” on the same day at 16:18:49. The time stamp on the last modification on the folder shows at 16:50:41 on April 16, 2018, around 50 days before Wilson and four others were arrested in connection with the Elgar Parishad case.
Soon after the report was made available to the defence team, an application was moved before the Bombay high court to set up a special investigation team (SIT) under the supervision of the court. The petition states that the role of the investigating agencies has been questionable, and their conduct “demonstrates that they have shown no inclination to ascertain the truth or authenticity of the records, and have shown extreme zest in arresting and prosecuting petitioner (Wilson) and co-accused”.
Senior lawyer Mihir Desai, who appears for Wilson and other arrested activists in the case, told The Wire that right from the beginning of the case, the lawyers and human rights activists had maintained that the Elgar Parishad investigation was based on “lies” manufactured by the investigating agencies.
“The evidence today presented before the court is only an extension of what we have been maintaining all through. Like Wilson, the digital data of the other accused has also been compromised,” Desai said, adding that this evidence should be considered seriously. He believed that it provides a strong case to release all those who have incarcerated in the case for nearly three years. The defence lawyers, along with the immediate release of the accused, have also sought compensation.
Before the rights activists and lawyers were targeted in the case, Samasta Hindu Aghadi president and Hindutva leader Milind Ekbote and Shiv Prathistan Hindustan leader Sambhaji Bhide were accused of being the “masterminds” behind the attack on Dalit community members at Bhima Koregaon on January 1, 2018. That case, filed by anti-caste activist Anita Sawale a day after the incident, had led to Ekbote’s brief arrest.
But once the Pune police brought in an entirely new angle of “Urban Naxals” in the case, the investigation against the two Brahmin leaders – Bhide and Ekbote – was stalled. Salve’s complaint was backed by the initial affidavits filed by the state, both in the Supreme Court and also before the assembly.
Advocate Rathod says that with the findings of the Arsenal report, the defence will urge the state government to take another look into the case and “focus on the real perpetrators”. He said, “The Bhima-Koregaon violence was planned by Hindutva groups and the role played by Bhide and Ekbote became clear during the initial investigation. The Pune police, which was then under the BJP state government, had derailed the investigation and focussed on the rights activists. At least now, we hope that the real perpetrators are probed.”