An attacker used malware to infiltrate a laptop belonging to one of the activists, Rona Wilson, before his arrest and deposited at least 10 incriminating letters on the computer, according to a report from Arsenal Consulting, a Massachusetts-based digital forensics firm that examined an electronic copy of the laptop at the request of Wilson’s lawyers.
Many of the activists have been jailed for more than two years without trial under a stringent anti-terrorism law. Human rights groups and legal experts consider the case an attempt to suppress dissent in India, where government critics have faced intimidation, harassment and arrest during Modi’s tenure.
Arsenal’s report on the Indian case does not identify the perpetrator of the cyberattack. The analysis, which has not been previously reported, was reviewed by The Washington Post. Three outside experts who reviewed the document at The Post’s request said the report’s conclusions were valid.
Sudeep Pasbola, a lawyer representing Wilson, said the Arsenal report proved his client’s innocence and “destabilizes” the prosecution case against the activists. On Wednesday, Wilson’s lawyers included the report in a petition filed in the High Court of Bombay urging judges to dismiss the case against their client.
Jaya Roy, a spokeswoman for the National Investigation Agency, the anti-terrorism authority overseeing the cases against the activists, said that the forensic analysis of Wilson’s laptop conducted by law enforcement did not show any evidence of malware on the device. She added that there was “substantial documentary and oral evidence” against the individuals charged in the case.
More than a dozen activists have been targeted in the investigation. They include Wilson, a Delhi-based activist, as well as a labor lawyer, a prominent academic, a poet and a priest. All are advocates for the rights of India’s most underprivileged communities, including tribal peoples and Dalits, formerly known as “untouchables.”
They’re also outspoken opponents of Modi’s government. They have denied the charges, which accuse them of working with a banned Maoist militant group to wage an insurgency against the Indian state.
The initial accusations against the activists rested heavily on incriminating letters recovered from electronic devices, particularly from Wilson’s laptop.
The most explosive allegation came from a letter that police said Wilson had written to a Maoist militant in which Wilson discussed the need for guns and ammunition and urged the banned group to assassinate Modi. Arsenal Consulting found that the letter — along with at least nine others — had been planted in a hidden folder on Wilson’s computer by an unidentified attacker who used malware to control and spy on the laptop.
“This is one of the most serious cases involving evidence tampering that Arsenal has ever encountered,” the report said, citing the “vast timespan” — nearly two years — between the time the laptop was first compromised and the moment the attacker delivered the last incriminating document.
Arsenal has so far conducted its work on the report on a pro bono basis, said Mark Spencer, the firm’s president. The company was founded in 2009 and has performed digital forensic analysis in other high-profile cases, including the Boston Marathon bombing.
The case against the Indian activists has drawn criticism from rights groups and experts. A spokeswoman for the U.N. high commissioner for human rights recently urged the Indian authorities to release the detained activists. Earlier U.N. experts called the accusations a “pretext” aimed at silencing defenders of marginalized groups. The American Bar Association has also expressed concern about the case, and its human rights initiative helped Wilson’s lawyers facilitate the review of the digital evidence.
Arsenal’s report gives a detailed account of the cyberattack. One afternoon in June 2016, it said, Wilson received several emails that appeared to be from a fellow activist he knew well. The friend urged him to click on a link to download an innocuous statement from a civil liberties group. Instead, the report says, the link deployed NetWire, a commercially available form of malicious software that allowed a hacker to access Wilson’s device.
Arsenal discovered records of the malware logging Wilson’s keystrokes, passwords and browsing activity. It also recovered file system information showing the attacker creating the hidden folder to which at least 10 incriminating letters were delivered — and then attempting to conceal those steps. The letters were created using a newer version of Microsoft Word that did not exist on Wilson’s computer, the report said. Arsenal found no evidence that the documents or the hidden folder were ever opened.
Spencer, Arsenal’s president, called the attack “very organized” and “extremely dark” in intent. Arsenal has spent more than 300 hours analyzing the laptop’s contents, he said.
Spencer said the company has only rarely seen malware used for evidence tampering and that Wilson’s case was “unique and deeply disturbing.” In 2016, Arsenal found that evidence had been delivered to a computer belonging to a Turkish journalist accused of terrorism. The journalist and several co-defendants were ultimately freed.
The Post asked three experts on malware and digital forensics in North America to review Arsenal’s report, and they said its findings were sound.
Arsenal produced a “serious and credible” analysis documenting how the laptop was infected with malware, said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto. It raises “urgent questions about the reliability of evidence from that computer in a prosecution.”
The report does not identify the person or institution behind the malware attack on Wilson’s laptop. But it notes that Wilson was not the attacker’s only victim. The same attacker deployed some of the same servers and IP addresses to target Wilson’s co-defendants in the case over a period of four years, the report said, based on a review of forensic images related to those individuals.
The attack on Wilson’s computer is one piece of a larger malware campaign, experts said. Last year, Amnesty International revealed that nine people seeking to help the activists accused in the case were also targeted with emails containing malicious links that deployed NetWire.
The fact that the same domain names and IP addresses appear both in the Arsenal and Amnesty reports is “not a coincidence,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike, one of the experts who reviewed the report at The Post’s request.
Amnesty noted that three of the people seeking to assist the activists were separately targeted in 2019 with the NSO Group’s Pegasus spyware, a tool sold only to governments. A cabinet minister declined to answer questions from the opposition in Parliament about whether India had purchased the Pegasus software but said that “no unauthorized interception” had occurred.
Lawyers for other defendants in the case have asked law enforcement authorities to provide digital images of the electronic devices seized from their clients — including phones and laptops — for possible analysis. To date, copies of digital devices belonging to at least two of the activists have been shared, defense lawyers said.
The case against the activists has its origins in events that unfolded on Jan. 1, 2018, in a village known as Bhima Koregaon in western India. That day marked the 200th anniversary of a colonial-era battle that many Dalits view as a victory over their oppressors in India’s caste system. The annual commemoration turned hostile as Hindu nationalist groups and Dalits clashed. One person was killed.
The early police investigation focused on the Jan. 1 violence but rapidly transformed into a probe of what authorities called “other destructive activities.” The initial charges cited some of the letters that the Arsenal report said were planted. The authenticity of the letters has also been questioned by experts, a 2019 story in the Caravan magazine and a supreme court justice who cast doubt on the impartiality of the probe.
After three years of investigation, the charging documents in the case now run to more than 17,000 pages. They cite both digital evidence and accounts by witnesses, who allege that some of the activists were members of the banned Communist Party of India (Maoist), a group that has fought an armed insurgency against the government for decades. Most of the accounts are not sworn testimony and none have been tested in court, defense lawyers have pointed out.
Meanwhile, judges have rejected bail applications for the activists. Nearly all of the 16 accused have remained imprisoned throughout the pandemic, even as India temporarily released thousands of other prisoners because of worries about rising infections. Several of the activists are senior citizens with serious health ailments, their friends and family say; one, a Jesuit priest named Stan Swamy, 83, suffers from Parkinson’s disease.
Roy, the spokeswoman for the National Investigation Agency, said it had opposed pleas for bail because of the “heinous” nature of the charges in the case. She added that the accused would receive “adequate treatment facilities” for any health issues.
Poet Varavara Rao, 80, is another of the imprisoned activists. His health has deteriorated in jail and he became incoherent last summer, his family said. He also contracted the coronavirus and repeatedly had to be transferred to the hospital because of other health complications. Rao remains hospitalized, and his family says his life will be in danger if he returns to prison.
Sudha Bharadwaj, a labor lawyer and activist who gave up her American citizenship after returning to India to work for the rights of tribal communities, has spent more than two years behind bars.
Family members of the defendants want their relatives to be released on bail while they fight what they say are false charges against them. Bharadwaj’s daughter Maaysha Nehra, 23, said she fears for her mother’s physical and mental health. Bharadwaj suffers from diabetes, high blood pressure and arthritis.
On a recent call, Bharadwaj sounded despondent for the first time since her arrest, her daughter said. Bharadwaj tries “to understand everybody and cope with things, but sometimes it is very, very difficult for her,” Nehra said. “How can you just keep a person like that when you don’t have proof?”