Evidence found on a second Indian activist’s computer was planted, report says

By  and / Washington Post
NEW DELHI — The two activists were jailed in 2018 and accused of plotting an insurgency against the government. A new forensic report concludes they also shared something else: They were both victims of the same hacker who planted evidence on their computers.

The finding raises fresh doubts about a case that rights groups consider an effort to crack down on critics of Prime Minister Narendra Modi. More than a dozen activists have been imprisoned without trial under a stringent anti-terrorism law that rarely results in convictions.

Arsenal Consulting, a Massachusetts-based digital forensics firm, examined electronic copies of the computers, as well as email accounts belonging to two of the activists, Surendra Gadling and Rona Wilson, at the request of defense lawyers.

An unidentified attacker used malicious software to infiltrate the two computers and deposited dozens of files in hidden folders on the devices, Arsenal said. Investigators later cited the documents as incriminating evidence linking the activists to a banned Maoist militant group that aims to overthrow the government.

Tuesday’s report is the third that Arsenal has released in the case. The previous reports concluded that Wilson’s laptop was hacked, and that more than 30 files, including an explosive letter mentioning a plot to assassinate Modi, were deposited on the computer. The Washington Post was the first to report that a hacker had planted evidence in the case.

Experts say the information in the new report points to an extensive and coordinated malware campaign that targeted and probably compromised other computers beyond those belonging to the two activists.

United Nations officials have called for the release of the defendants in what is known as the Bhima Koregaon case, noting their work on behalf of India’s most disadvantaged communities. The activists deny the charges against them.

One of the imprisoned activists was Stan Swamy, an 84-year-old Jesuit priest with Parkinson’s disease. After spending nearly eight months in jail, he was sent to a hospital in poor health in late May. He was placed on a ventilator and died on Monday. At a hearing in May, he begged judges to grant him bail so he could return home for what might be his last days.

Jaya Roy, a spokeswoman for the National Investigation Agency, the anti-terrorism authority overseeing the cases against the activists, declined to respond to questions about the new report. The matter is before the courts, Roy said, and the agency prefers not to comment.

The latest forensic analysis focuses on a computer belonging to Gadling, a human rights lawyer based in western India. The device was infected with NetWire, a commercially available form of malware, for nearly two years before his arrest in 2018, the report says.

Arsenal’s findings go “a long way in exonerating the accused and destroying the prosecution’s case,” said Mihir Desai, a member of the group’s defense team. A motion to quash the charges based on Arsenal’s first report is pending before the courts.

So far, Arsenal has conducted its work on the case on a pro-bono basis, said Mark Spencer, its president. Three experts on malware and digital forensics in North America reviewed the latest report at the request of The Post and said its conclusions were sound.

The report details how the same methodology was used in the attacks on the computers belonging to Gadling and Wilson. In both cases, the attacker deployed an identical piece of malware to communicate with the same server and initially targeted victims via email.

One afternoon in July 2017, Arsenal said, the attacker was active on the two computers within a period of 20 minutes. During that time, the same document — a purported account of the banned Maoist group’s funding — was deposited on both devices.

There is “no question” that the same attacker targeted both computers, said Kevin Ripa, president of the Grayson Group of Companies and an expert in digital forensics who reviewed a copy of the report.

The analysis strongly suggests that Gadling and Wilson were not the only victims. A malware-laden email sent to Gadling in February 2016 was also addressed to 14 other recipients, including two people who later became co-defendants in the case, one of whom was Swamy, the Jesuit priest who died Monday. Any of the recipients who opened the attachment would have installed malware capable of monitoring and controlling their computers.

“There’s clearly a larger set of activity here,” said Juan Andres Guerrero-Saade, a principal threat researcher at cybersecurity firm SentinelOne. The two computers examined by Arsenal “aren’t the only machines being compromised by this threat actor.”

Gadling, a 53-year-old lawyer and father of two, is a member of the Dalit community, the lowest rung of India’s caste hierarchy. He worked much of his life defending people charged under the same anti-terror law now used in his case. Gadling has spent three years in jail awaiting trial.

This article first appeared in