Evidence planted on laptops of jailed Indian activists, says forensics firm Arsenal Consulting

NetWire malware used to deliver incriminating letters into obscure directories users could not see


Evidence used to charge an Indian man with plotting to assassinate India’s Prime Minister and inciting violence at a 2018 protest was planted on his laptop, according to US digital forensics consultancy Arsenal Consulting.

The man in question, Surendra Gadling, is an activist and human rights lawyer and a frequent critic of India’s government. He was arrested in June 2018 after the commemoration of the Battle of Koregaon. The battle, which took place in 1818, saw British East India Company troops emerge victorious and contributed greatly towards British rule of India. The battle involved combatants from many different nations, castes, and religions, some of whom fought alongside the British. It remains controversial to the present day, with a traitorous tinge sometimes applied to those who fought with the British. The 2018 events marking the bicentenary saw violence erupt and at least one person killed.

Gadling was later charged with inciting violence at the 2018 event, of being a member of Communist and/or Maoist groups, and even of plotting to assassinate the Indian PM.

Other activists were also arrested and face similar charges, in what has come to be known as the Bhima Koregaon case.

Arsenal Consulting has already published two reports on the case, and in both found that malware targeted Rona Wilson — an activist who was also arrested and charged.

Arsenal’s latest report [PDF] finds that Gadling’s laptop was compromised by attackers intent on “surveillance and incriminating document delivery”.

The report details use of the NetWire malware, traces its installation to a specific email from February 2016, and offers evidence of extensive communication with a command-and-control server. It also identifies 14 documents that were delivered to a hidden folder by NetWire. That folder was later moved from a volume created by NetWire onto the laptop’s main Windows volume.

The documents are emails to and from Gadling, many of which detail planned operations, discuss funding those operations, identify “soft targets” to be targeted, and mention other activists who can assist in these endeavours.

Arsenal’s report states that none of the 14 documents “were ever interacted with in any legitimate way on Mr. Gadling’s computer, either in their original location on the tertiary volume or in their current location on the Windows volume.”

Nor could the firm find any evidence that the documents were ever opened!

Arsenal also dated the documents as having appeared on June 22, 2017 — the same day documents were also delivered to a hidden folder on Rona Wilson’s computer.

The firm offered no conclusion about who used NetWire to target Gadling and Wilson, but noted it has seen the same activity “in other high-profile Indian cases as well”.

Indian authorities are yet to respond to the report, but the document is explosive. India’s central government has moved the case into its jurisdiction instead of allowing State authorities to handle the matter.

India’s central government is not kindly disposed to its critics, and has form shutting down social networks and telecommunications networks on grounds that doing so prevents violence.

That attitude is evident in its ongoing fight with Twitter over the micro-blogging service’s half-hearted moves towards compliance with the Intermediary Guidelines and Digital Media Ethics Code — a new law that gives India’s government to track down the original poster of any material it finds objectionable.

Twitter faces multiple cases over its actions, and yesterday one of them revealed that India’s government has formally decided that the social network has lost its immunity to legal action brought on grounds that its users post content that breaks local laws.

That change opens Twitter to even more legal action. ®

Similar topics

Broader topics


Other stories you might like

  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading

Biting the hand that feeds IT © 1998–2022