Evidence planted on laptops of jailed Indian activists, says forensics firm Arsenal Consulting
NetWire malware used to deliver incriminating letters into obscure directories users could not see
Evidence used to charge an Indian man with plotting to assassinate India’s Prime Minister and inciting violence at a 2018 protest was planted on his laptop, according to US digital forensics consultancy Arsenal Consulting.
The man in question, Surendra Gadling, is an activist and human rights lawyer and a frequent critic of India’s government. He was arrested in June 2018 after the commemoration of the Battle of Koregaon. The battle, which took place in 1818, saw British East India Company troops emerge victorious and contributed greatly towards British rule of India. The battle involved combatants from many different nations, castes, and religions, some of whom fought alongside the British. It remains controversial to the present day, with a traitorous tinge sometimes applied to those who fought with the British. The 2018 events marking the bicentenary saw violence erupt and at least one person killed.
Gadling was later charged with inciting violence at the 2018 event, of being a member of Communist and/or Maoist groups, and even of plotting to assassinate the Indian PM.
Other activists were also arrested and face similar charges, in what has come to be known as the Bhima Koregaon case.
Arsenal Consulting has already published two reports on the case, and in both found that malware targeted Rona Wilson — an activist who was also arrested and charged.
The attacker identified in Arsenal’s Reports I & II targeted Rona Wilson (& others) with multiple campaigns involving various malware, & remnants exist well beyond individual computers involved in the Bhima Koregaon case. We have analyzed many emails from these campaigns. #DFIR— Arsenal Consulting (@ArsenalArmed) April 21, 2021
Arsenal’s latest report [PDF] finds that Gadling’s laptop was compromised by attackers intent on “surveillance and incriminating document delivery”.
The report details use of the NetWire malware, traces its installation to a specific email from February 2016, and offers evidence of extensive communication with a command-and-control server. It also identifies 14 documents that were delivered to a hidden folder by NetWire. That folder was later moved from a volume created by NetWire onto the laptop’s main Windows volume.
The documents are emails to and from Gadling, many of which detail planned operations, discuss funding those operations, identify “soft targets” to be targeted, and mention other activists who can assist in these endeavours.
Arsenal’s report states that none of the 14 documents “were ever interacted with in any legitimate way on Mr. Gadling’s computer, either in their original location on the tertiary volume or in their current location on the Windows volume.”
Nor could the firm find any evidence that the documents were ever opened!
Arsenal also dated the documents as having appeared on June 22, 2017 — the same day documents were also delivered to a hidden folder on Rona Wilson’s computer.
- Disco classic Rasputin and pop anthem revealed as reasons Twitter suspended Indian politicians
- Reserve Bank of India warns against Big Tech's potential to dominate financial services
- India’s IT lobby lashes forecast of automation-induced jobs bloodbath
The firm offered no conclusion about who used NetWire to target Gadling and Wilson, but noted it has seen the same activity “in other high-profile Indian cases as well”.
Indian authorities are yet to respond to the report, but the document is explosive. India’s central government has moved the case into its jurisdiction instead of allowing State authorities to handle the matter.
India’s central government is not kindly disposed to its critics, and has form shutting down social networks and telecommunications networks on grounds that doing so prevents violence.
That attitude is evident in its ongoing fight with Twitter over the micro-blogging service’s half-hearted moves towards compliance with the Intermediary Guidelines and Digital Media Ethics Code — a new law that gives India’s government to track down the original poster of any material it finds objectionable.
Twitter faces multiple cases over its actions, and yesterday one of them revealed that India’s government has formally decided that the social network has lost its immunity to legal action brought on grounds that its users post content that breaks local laws.
That change opens Twitter to even more legal action. ®