‘Evidence’ against Surendra Gadling Planted on His Computer Since 2016, Says Arsenal Report

New Delhi: Jailed human rights lawyer Surendra Gadling’s computer was attacked and surveilled upon as early as in 2016, while incriminating documents were secretly planted therein, Massachusetts-based digital forensics firm Arsenal Consulting has found. The investigation revealed that the activities were carried out by the same unidentified attacker who targeted Gadling’s fellow activist Rona Wilson’s computer.

Gadling and Wilson are among the 16 human rights activists, lawyers and academics arrested in the ongoing Elgar Parishad- Bhima-Koregaon case.

The recent report by Arsenal, the third in the case so far, shows that Gadling was cyber attacked since 2016two years before he was finally arrested on April 6, 2018.

The revelation can be a turning point in the case but it comes as the oldest of the defendants, father Stan Swamy, an octagenarian Jesuit priest who fought for the rights of marginalised communities in Jharkhand, passed away in custody after being denied medical bail.

In a significant revelation, the forensic analysis also found that the 14 significant documents, on the basis of which the National Investigation Agency (NIA) has held Gadling in prison, were planted on his computer using a malware called NetWire. After infiltrating Gadling and Wilson’s computers, the attacker deposited several files in hidden folders on the devices. The investigators in the case had cited the documents as incriminating evidence linking the activists to the banned Communist Party of India (Maoist).

“Arsenal has determined that the 14 important documents were delivered to a hidden folder (named “Material”) on the tertiary volume of Mr. Gadling’s computer by NetWire and not by other means,” stated the Arsenal report shared by the Washington Post. It added that the forensic analysis has found no evidence to suggest that the said documents were ever interacted with in any legitimate way” or even opened on Gadling’s computer.

In its report Arsenal said, “It is obvious that their (attasker’s) primary goals were surveillance and incriminating document delivery. Arsenal has effectively caught the attacker red handed, based on remnants of their activity left behind in file system transactions, application execution data, and otherwise. It is important to note that Arsenal has also recovered communications with the attacker’s command and control server from Mr. Gadling’s computer.

Arsenal further added that their analysis has connected the same attacker to a significant malware infrastructure” that was deployed over nearly four years to not only attack and compromise  Gadling’s computer for 20 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well.


According to the report, on a ‘particularly interesting day’ i.e. July 22, 2017, the attacker was active on both computers within a period of 15 minutes. On this day, the attacker deployed documents on Wilson’s computer and approximately 15 minutes later, they deployed the documents to a hidden folder on Gadling’s computer. One of the deployed documents was identical and named“CC –Financial Policy.docx”, which is the document with details of alleged funding to the Maoists, the Washington Post report notes.

The mode of e-mail based attack to install the malware on the activists’ computers also bear resemblance to each other while revealing an insidious pattern. Gadling’s computer was first compromised by the attacker on February 29, 2016. The attacker made three particularly relevant attempts at compromising Mr. Gadling’s computer via email, sending him identical malware (but packaged differently) on February 12 and February 18, 2016. Ultimately, on February 29, 2016 Mr. Gadling executed this malware,” the report said. The February 29 email was sent from an email attributed to Arun Ferreira, a lawyer and another defendant in the case.

The three emails were sent from IDof people from Gadling’s own social circle. The first two emails were sent to him on February 12 from Harshal Lingayat, who is Gadling’s legal junior, and Prashant Rahi, a social activist convicted in a separate case under the UAPA. The February 18 email was from Arun Ferreiraa lawyers and co-accused in the case.

The emails contained subject and content related to Gadling’s work and interest along with a Zip file as attachment with custom name for each email and its subject. For instance, the email sent from Rahi’s ID discusses Stan Swamy’s ailing health condition and medical care while attaching a file named– ‘Book Release Report with Kujur’. Further, the email was copied to several other people including lawyer-activist Sudha Bharadwaj and Stan Swamy, both arrested in the same case.

However, these emails were sent by the attacker using email spoofing service.“Please note that by February 2016, the attacker had compromised the email accounts of multiple defendants in the Bhima Koregaon case, and had also used at least two different email spoofing services,”the report noted. All three emails had identical JavaScript malware attached within the Zip file attachments which would subsequently install the NetWire remote access trojan in the computer.”The attacker deployed multiple NetWires to Mr. Gadling’s computer over tim,” the report said. It is not yet clear whether Bharadwaj or Swamy also downloaded the zip files and fell victim to the cyber attack.

Further, Arsenal also found and decrypted partial NetWire logs from Gadling’s computer for 55 days between March 5, 2016 and October 22, 2017. NetWire logs are files used for surveillance purposes and contain keystrokes and other information related to the victim. The activity captured in these partially recovered logs included Mr. Gadling browsing websites, submitting passwords, composing emails, and editing documents,” it said.

While the Arsenal report is expected to help the incarerated human rights defenders to get justice, it will also be subjected to judicial scrutiny. The revelation of planted documents on their computers, on which the NIA’s ‘Maoist link’ accusation is based, raises a big question over the validity of the case and evidence tampering.

Arsenal’s findings go “a long way in exonerating the accused and destroying the prosecution’s case,” Mihir Desai, a member of the accused’s defense team, told the Washington Post. Currently, a motion to quash the charges against the accused based on Arsenal’s first report is pending before the Bomaby High Court.  The NIA has said it was not going to rely on Arsenal’s findings as the forensic study was not ordered by the court.

Arsenal has been retained by the same defence team to analyse electronic evidence seized from Gadling and Wilson’s homes by the police.

This article first appeared in