Cyber Attackers Who Targeted Rona Wilson Could Have Been Engaged by Same Entity: Report

New Delhi: Prisoners’ rights activist Rona Wilson – incarcerated for close to four years over what the Pune Police and NIA believe are his connections to the Elgar Parishad case – was subjected to digital attack since at least 2013, a new report has found.

The report, published by the California-based cybersecurity firm SentinelOne, has stated that several Indian human rights defenders, activists, academics, journalists and legal professionals have been subjected to digital attack since at least 2012.

In a 19-page detailed report, the researchers have stated that Wilson was subjected to two specific cyberattacks. One that can be linked to widely documented cyber-espionage campaigns against military targets in China and Pakistan and another ‘ModifiedElephant’ as dubbed by SentinelOne.

The detailed report can be read here.

The research findings, first reported in The Washington Post, say that while the findings on ModifiedElephant cannot be attributed to anyone in particular, “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”

Wilson, along with 15 other human rights defenders, lawyers and academics was arrested in the Elgar Parishad case.

The investigating agency claims that the accused persons were a part of the “Urban Naxal” group and among several allegations were trying to assassinate prime minister Narendra Modi. Only two persons – academic and lawyer Sudha Bharadwaj and poet and writer Varavara Rao – have managed to secure their bail so far. Others continue to languish in jail.

Eighty-four-year-old Jharkhand-based tribal rights activist and Jesuit priest, Father Stan Swamy, who was arrested in October last year, died on July 5 at a hospital in Mumbai, awaiting bail on medical grounds.

Since their arrest, several journalistic investigations and those conducted by human rights and digital organisations like Amnesty Tech Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy of the University of Toronto Citizen Lab, and Massachusetts-based digital forensics firm Arsenal Consulting have from time to time exposed the persistent cyber attack on the human rights defenders before they were framed in the case and arrested. In December last year, Arsenal Consulting had confirmed that Wilson was a victim of both surveillance and incriminating document delivery for close to a year before his arrest on June 6, 2018.

In a related report published earlier, Arsenal Consulting had published another damning report, which said that a cyber attacker had gained access to Wilson’s computer at least 22 months before his arrest and at least 10 incriminating letters were placed on it through this attack. These incriminating letters form the backbone of the case registered first by the Pune police in 2018 – when Devendra Fadnavis-led BJP government was in power in Maharashtra and eventually the case was handed over to the National Investigation Agency (NIA), when the BJP government fell in the state.

Now, findings by the US experts working with SentinelOne, have for the first time found that Wilson had come under radar way before his arrest. A time frame significantly longer than earlier realised is an important revelation made in the recent report.

The report lays down the chronology of the attack hoisted on Wilson. Between February 2013 and January 2014, Wilson received phishing emails that can be attributed to the SideWinder threat actor, the report has found. Whether the attack launched by SideWinder succeeded or not is unknown, the report states.

The Washington Post’s report states that in 2019, the Pakistani government had issued an advisory detailing attacks on its defense and government offices by SideWinder and called it “an Indian attacker”.

“The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset,” the researchers claim. This, they say, could suggest that the attackers are “being provided with similar tasking by a controlling entity, or that they work in concert somehow”.

Several dozen emails, all tailor-made to suit Wilson’s interest, were sent to him from familiar-looking email addresses of activists he knew. These emails carried “malware designed to infiltrate his computer.”

ModifiedElephant, SentinelOne has found, had sent emails with documents or attachments that carried commercially-available malware like NetWire and DarkComet. SentinelOne, supporting the earlier findings by Arsenal claims that Wilson received at least 32 emails from ModifiedElephant. Netwire was used not just to target Wilson but many other human rights defenders and a Mumbai-based journalist in 2019, according to the Amnesty International’s report.

Another crucial finding in the report points to the hacking group called Hangover.

At least two web domains used by ModifiedElephant for sending phishing emails to Wilson were linked to Hangover, SentinelOne says. The Washington Post’s report points to Hangover’s involvement in an alleged attack on Norway’s state-owned telecom company in 2013.

Snorre Fagerland, a Norwegian cybersecurity researcher who co-wrote a 2013 report on Hangover, told The Washington Post that “the newest details about the campaign against Wilson contribute to a better understanding of the ties between attackers who may be operating in India and targeting foreign adversaries and domestic dissidents alike”.

The Elgar Parishad case (also known as the Bhima Koregaon case) has offered a revealing perspective into the world of a threat actor willing to place significant time and resources into seeking the disruption of those with opposing views, SentinelOne says.

The report, like all of them in the past, has stated that many questions about this threat actor and their operations remain. “However, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” the researcher concluded in the report.

This article first appeared in