Tech

Exclusive: Not Just WhatsApp, Snooping Attack on Indian Activists Was Through Email Too

Several human rights defenders and journalists, most of whom are associated with the Bhima Koregaon case, have received suspicious emails containing a malware designed to take control of their computers, Amnesty International has found.

Mumbai: It was not just Israeli spyware Pegasus that was used to digitally spy on human rights defenders and journalists in India.

A clear pattern of another well-coordinated and effectively designed digital attack has now emerged – this time through emails. These emails, all tailor-made to suit the interests of the individual receiver, were sent out between September and October 2019.

The Wire is in possession of several of these emails, which human rights organisation Amnesty International has studied to come up with some startling revelations.

According to the study conducted by Amnesty International’s digital team based in Berlin, “These emails were specially crafted to bait journalists or activists.” The infection, Amnesty Tech says, contains  malware which is sent through a link and a request to download. This file, the organisation has found out, is sent with a malicious intention. “Once the malware is installed on your device, the attacker has full visibility and control of your computer: access to all your files, your camera, it can take screenshots, and record everything you type on your keyboard,” Amnesty Tech has found.

Some of the sample subject lines includes: “Reminder Summons For Rioting Case”, “Pune SHO Sexually Abuse Journalists” and “Re: Summons Notice For Rioting Case Cr. 24/ 2018”.

While most recipient of the emails were also attacked by Pegasus, one of the unassuming victims of the malware attack was Prem Kumar Vijayan, a professor at the English department of Delhi University. On October 26 this year, Vijayan received an email from one Jennifer Gonzales. The subject line of the email read: “Summons Notice for Rioting Case Cr. 24/ 2018”. The email contained an attachment and the sender had signed off as a special public prosecutor of the Jagdalpur sessions court in Chhattisgarh’s Bastar region.

Vijayan says since he has never entered Chhattisgarh in his life, he was baffled on seeing this email. He told The Wire, “I immediately replied on that email and asked if the sender had indeed sent this email to me. Within an hour, I received another email confirming that the email was indeed meant for me and that the case proceedings would proceed in the Jagdalpur court as mentioned in the indictment notice attached with the email.”

Convinced that the email was indeed authentic, Vijayan says he opened the link attached on both his computer and his mobile phone but the folder did not lead him to anything specific. “I wrote back saying I am unable to open the file completely. The .exe file sent to me was an archive file with one PDF file attached. It had one unsigned warrant with no letterhead and several other files attached did not open.”

The emails received by P.K. Vijayan.

The emails received by P.K. Vijayan.

He says he also grew suspicious since the sender’s email id was not an official one and hence, he also promptly inquired about the authenticity of the sender. “I have no reason so far to believe the authenticity of these emails. Who exactly are you? What are you trying to achieve with these messages?” Vijayan asked in his email response. Pat came a response: “As a public servant I am not obliged to respond to such demands. Please desist from issuing further threats.” Vijayan says by now he was certain that this was not an authentic email and it certainly carried a malafide intention.

Similarly, other lawyers who received identical emails include Dalit rights activist and People’s Union for Civil Liberties (PUCL) Chhattisgarh state president Degree Prasad Chouhan; Jagdalpur Legal Aid Group’s (JAGLAG) official email id and one of their lawyers Isha Khandelwal; Nagpur-based human rights lawyer Nihalsing Rathod; Partho Sarothi Ray, a 42-year-old Kolkata-based molecular biologist; and a Mumbai-based reporter.

Since most of these individuals were attacked digitally in the past as well and say that they see a clear pattern behind this attack, they told The Wire that they would like to be identified. The Wire has contacted each of these individuals and taken their consent before publishing this story.

According to Amnesty Tech’s preliminary investigations, the emails were sent out from “seemingly regular person[‘s account]”. “It has a subject line that is designed to be relevant to the recipient and the content of the email is designed to resemble a file- sharing device, such as Google Drive or Dropbox,” the alert issued by Amnesty Tech today states.

The Wire has spoken to all six receivers and has tried to understand the pattern of this digital attack. Each of these emails were also studied by Amnesty International. Similar work was done by The Citizen Lab, a research organisation which works out of the University of Toronto. This lab had earlier worked with WhatsApp to examine the effects of the Israeli spyware Pegasus, along with reaching out to help potential victims across the world.

While the preliminary investigations have not made it clear as to who could be behind this attack, the tech team has ruled out the possible role of NSO Group or Pegasus. “Amnesty International’s Tech Security Lab can confirm these emails carry malicious links attempting to lure targets to download and install what appears to be spyware for Windows computers. While these attacks do not appear to be connected to NSO Group or Pegasus, we are investigating them and invite those who received similar messages to forward them to share@amnesty.tech,” the organisation said on email in response to The Wire’s query.

Also read: Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Spyware Pegasus

Barring Vijayan, every other recipient has one common link: the Bhima Koregaon trial. For instance, Chouhan is an active human rights activist based in Raigarh district and has been working closely with Sudha Bharadwaj, a Chhattisgarh-based lawyer who is presently in prison for her alleged role in the case. Bharadwaj is a renowned human rights activist and lawyer, and has been arrested over the bizarre accusation of being a part of an “Urban Naxal” network that, according to the Pune police, has spread and operated from across the country. Rathod is a lawyer who worked with another arrested lawyer, Surendra Gadling. He is also one of the main lawyers handling the Bhima Koregaon arrest case, representing the accused both in the lower judiciary and the Supreme Court.

Similarly, JAGLAG has been actively handling Bharadwaj and other activists’ cases. The Mumbai-based journalist, who did not wish to be named, has extensively reported on the Bhima Koregaon investigation and the court proceedings.

The email received by the Mumbai-based journalist.

Ray, who is a well-known civil rights activist in Kolkata, appears several times in the chargesheet filed against the nine accused in the Bhima Koregaon case. On November 8, The Wire, in an exclusive report had given a detailed account of the email that Yahoo had sent to Ray, alerting him of “government- backed actors” attempting to hack his email account.

Also read: Kolkata Prof Got an Alert From Yahoo Over ‘Govt-Backed’ Email Snooping Attempt

While Vijayan doesn’t have any direct link with the Bhima Koregaon case and says he has never visited Chhattisgarh, he had actively participated in campaigns demanding the release of his former colleague, G.N. Saibaba, who is presently serving a life sentence in Nagpur central prison. Saibaba, who is 90% physically handicapped, has been accused of having Maoist links and has suffered a prolonged incarceration.

Rathod was one of the first persons to have talked about the suspicious WhatsApp calls made to him. On October 6, Rathod received an email from one Muskaan Sinha. The email subject line stated: “Case No 1621/ 18 SUMMONS IN ARSON CASE JAGDALPUR”. A day after, he was contacted by John Scot-Railton from The Citizen Lab, informing him that he faced a “specific digital risk”. While Scot-Railton had contacted him to warn him about WhatsApp, Rathod says, he had been suspicious for a while about possible snooping attempts made through different channels. “I got suspicious about this email and eventually sent it to Amnesty to take a closer look into this,” Rathod told The Wire.

Similarly, Khandelwal too had forwarded the email from Jennifer Gonzales to Amnesty and The Citizen Lab for further investigation. Her email subject line read “Reminder Summons for Rioting Case” and it was signed off once again by one Jennifer Gonzales, who claimed to be a special public prosecutor of Jagdalpur. The Wire has checked at the district court and magistrate courts in Jagdalpur, and confirmed that no such person is appointed as a special public prosecutor in the district. Strangely, the sender Jennifer Gonzales has chosen popular Hindi TV actress Jennifer Winget’s picture as the thumbnail picture on the Gmail account.

The email received by Isha Khandelwal.

The email sent to Chouhan is identical to what Khandelwal had received, both on October 26.

The email sent to JAGLAG, however, was unique and it claimed “JAGLAG to be Blacklisted Over Irregularities”. JAGLAG has, over the years, been attacked by the state machinery and the local hardline right-wing organisations for working in the tribal area and raising issues of extrajudicial killings and land grabbing. Most lawyers associated with the organisation have moved out of Jagdalpur and are working from nearby districts or outside.

The email received by JAGLAG.

The email sent to the journalist in Mumbai was also specific. It talked of a sexual harassment case in Pune. The subject line read: “Pune SHO Sexually Abuse Journalists”. The email further said, “We request for legal help in more than one case of sexual assault. We have written a brief summary for your reference. Local police officers are threatening us not to pursue this case.” The journalist, like other recipients, also opened the email on a laptop.

So far, Yahoo and Google have warned India-based targets they may have been the victims of a snooping attempt by “government-backed actors”. The Yahoo alert reads: “We believe your Yahoo account may have been the target of government-backed actors, which means that they could gain access to the information in your account.” Google, in its alert, has said that over 500 potential targets of the 12,000-odd targets across the world were from India.

It is unclear at the moment who these “government-backed actors” are, why they would want to target Indian users and whether the snooping attempts were successful. But both Google and Yahoo have identified these attackers to be “government-backed”.