Bhima Koregaon arrests: An accusing finger points at Pune police
Pune police have been accused of planting evidence in electronic devices belonging to several of the Bhima Koregaon activists, many of whom are in jail.
US technology-focused magazine Wired said it had discovered a phone number and email used by a Pune police officer inserted into several laptops belonging to three Bhima Koregaon activists. The numbers and email had been inserted into the devices “To allow the hacker to easily regain control of the accounts if their passwords were changed,” Wired said.
Earlier investigations by tech experts had revealed that 32 files had been added to a laptop belonging to activist Rona Wilson using malware called Netwire. Wilson’s laptop had been hacked after he opened a mail from another activist, 81-year-old Varavara Rao.
However, this is the first time investigators have been able to clearly link the malware with the Pune police. The recovery email in the devices of three activists – Wilson, Rao and a Delhi University professor Hany Babu, “included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case,” said Wired.
“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” says Juan Andres Guerrero-Saade a senior researcher at security firm SentinelOne. Guerrero-Saade and another researcher Tom Hagel aim to present their findings at the Black Hat conference at Las Vegas in August. The Black Hat conference is one of the world’s largest events for cybersecurity and what’s called infosec or information security.
The officer who was in charge of the team that rounded up 10 of the activists said he was no longer involved in the case and declined to comment. The National Investigation Agency, the anti-terrorism authority now overseeing the case, has declined requests for a response to the Wired story.
“Hacking of computer resources is a criminal offense under the IT Act, 2000. India needs surveillance reform to protect citizens against the use of such technologies by government authorities which harm our privacy and democratic ideals,” the Internet Freedom Foundation said in a statement.
Guerrero-Saade added: “This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.”
Wired’s investigation was aided by a security analyst at an email provider who didn’t want to be identified. He said, “These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.... “We generally don’t tell people who targeted them, but I’m kind of tired of watching s**t burn.”
Wired also brought in John Scott-Railton, security researcher at the University of Toronto’s Citizen Lab, who was involved in the earlier investigations with Amnesty International that had initially revealed the hacking of those involved in the Bhima-Koregaon case and also the use of Pegasus software against them. Scott-Railton searched open source databases of Indian phone numbers and email IDs.
He was able to link the recovery phone number, “to an email address ending in email@example.com, a suffix for other email addresses used by police in Pune,” said Wired. The magazine added: “Scott-Railton found that the number is also linked in the database to the recovery email address connected to the hacked accounts for the same Pune police official.”
Another security researcher, Zeshan Aziz, found the recovery email address and phone “tied to the Pune police official’s name” in Truecaller, the caller ID database and in a leaked database of iimjobs, a job recruitment site. The researcher also found the number in several Indian police directories and the Pune City police website.
In June 2018 16 activists were charged under the tough Unlawful Activities (Prevention) Act (UAPA) with having links with Maoist groups and being part of a conspiracy to assassinate Prime Minister Narendra Modi. Several have been in jail since June 2018 despite repeated appeals for bail. The priest Stan Swamy who had been suffering from Parkinson’s Disease died in prison in July 2021 aged 84.
Arsenal Consulting, a digital forensics company had earlier uncovered that a letter in Wilson’s computer hard drive which appeared to show that he was conspiring with a leftist group to assassinate Prime Minister Modi had been planted. “This is one of the most serious cases involving evidence-tampering that Arsenal has ever encountered,” Arsenal’s president Mark Spencer said in a report to a court where the case is being heard.
Cybersecurity firm SentinelOne published a report in February which said the efforts to target the Bhima Koregaon activists was part of a much bigger operation which it called ModifiedElephant that had targeted journalists, academics, lawyers and human rights activists for several years.
About ModifiedElephant, Wired said: “Researchers at SentinelOne and nonprofits Citizen Lab and Amnesty International have linked the, “evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group.” It added: “Only now have SentinelOne’s researchers revealed ties between the hackers and a government entity: none other than the same Indian police agency in the city of Pune that arrested multiple activists on the fabricated evidence.”
Guerrero-Saade and Hegel say they’re deeply concerned about the accused in the Bhima Koregaon case. Guerrero-Saade says: “The real concern here is the folks languishing in prison. We’re hoping this leads to some form of justice.”
In February, 20 Opposition MPs wrote a letter to Prime Minister Narendra Modi appealing for the immediate release of the activists and academics in light of reports that some had been targets of cyber-attacks which planted “incriminating documents”.