Listen to this article:
New Delhi: Security researchers in the United States have claimed that they unearthed new evidence that links the Pune police to the hacking of e-mail accounts of activists Rona Wilson and Varavara Rao and Delhi University professor Hany Babu. This is the first time that the state’s involvement has been directly established in the case.
The three individuals are among the 16 arrested accused in the Elgar-Parishad case. Of them, 84-year-old Jharkhand-based tribal rights activist Father Stan Swamy, died in July last year. Over the last few years, multiple digital forensic investigators have questioned the nature of the evidence collected by Indian law enforcement from the electronic devices of the accused, with one firm noting that hackers had planted incriminating evidence on at least two activists that had been arrested.
Now, security researchers have pointed towards links between the hacking attempts on three of the accused and the Pune police department.
“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” Juan Andres Guerrero-Saade, a security researcher at SentinelOne told Wired magazine.
“This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.”
SentinelOne’s new findings specifically link the Pune police to a long-running hacking campaign that they call ‘Modified Elephant’. After pro bono studying over 100 phishing emails received by Wilson (which were sourced through his defence lawyers), SentinelOne has found that the earliest attack on him can be traced back to as early as 2012. The report says that the attack began in 2012 but intensified only in 2014 and continued aggressively until at least 2016.
SentinelOne’s new revelations, published today in Wired magazine, come from working with an unnamed email service provider that provided them with crucial data that allowed them to allege a link to the Indian law enforcement agency.
In particular, the security research organisation points out that three of the victim email accounts (Wilson, Babu and Rao) compromised by hackers in 2018 and 2019 had a recovery email address and phone number added as a backup mechanism (to allow the hacker to easily regain control of the accounts if their passwords were changed).
Who did this recovery email ID and phone number belong to? According to the publication, the email address “included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case”.
The publication and researchers at other institutions such as Internet watchdog Citizen Lab collaborated further to confirm that the recovery email ID and recovery phone number belonged to a Pune police official.
“Security researcher Zeshan Aziz found the recovery email address and phone number tied to the Pune police official’s name in the leaked database of TrueCaller, a caller ID and call-blocking app, and found the phone number linked to his name in the leaked database of iimjobs.com, an Indian job recruitment website….,” the report notes
“Scott-Railton [of Citizen Lab] further found that the WhatsApp profile photo for the recovery phone number added to the hacked accounts displays a selfie photo of the police official—a man who appears to be the same officer at police press conferences and even in one news photograph taken at the arrest of Varvara Rao.”
In the case of Rona Wilson, according to the security analyst at the email service provider who worked with SentinelOne, his email account received a phishing email in April 2018 and then appeared to be compromised by the hackers – at the same time, the email and phone number linked to the Pune city police were added as recovery contacts.
It is important to note, the media report notes, that the recovery contact details could have been only added through a verification process (either a confirmation link or an SMS). This suggests that the police, therefore, did in fact control that email address and phone number. targeted but he was tired of watching such things happen.
“We generally don’t tell people who targeted them, but I’m kind of tired of watching shit burn,” the security analyst at the email provider told Wired of their decision to reveal the identifying evidence from the hacked accounts. “These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.”