Police linked to hacking campaign to charge Indian activists

Police linked to hacking campaign to charge Indian activists

police force around the world is increasingly using hacking tools to identify and track protesters, expose the secrets of political dissidents, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India link law enforcement to a hacking campaign that used those tools to take a terrifying step further: planting fake incriminating files on targets’ computers, which the same police then used as grounds to arrest and jail them.

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom were jailed and, along with 13 others, are facing trial facing charges of terrorism. Researchers from the security firm SentinelOne and the nonprofits Citizen Lab and Amnesty International have since linked this fabrication of evidence to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware. as well as smartphone hacking tools sold by Israeli hacking contractor NSO Group. But only now have SentinelOne researchers uncovered links between the hackers and a state organization: none other than the same Indian police agency in the city of Pune that arrested scores of activists based on the fabricated evidence.

“There is a provable link between the individuals who arrested these people and the individuals who planted the evidence,” said Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present the security findings at the Black Hat conference in August. “This is beyond ethical compromise. This is beyond callous. So we are trying to provide as much data as possible in hopes of helping these victims.

SentinelOne’s new findings, which link the Pune city police to the long-running hacking campaign the company has dubbed Modified Elephant, focus on two specific targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018. as part of a group called Bhima Koregaon 16, named after the village where violence between Hindus and Dalits – the group once known as the “untouchables” – had erupted earlier that year. (One of those 16 accused, 84-year-old Jesuit priest Stan Swamy, died in prison last year after contracting Covid-19. Rao, who is 81 and in poor health, was released on medical bail, which expires next month of the remaining 14, only one is out on bail.)

Early last year, Arsenal Consulting, a digital forensics firm working on behalf of the defendants, analyzed the contents of Wilson’s laptop, along with that of another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that the evidence was clearly fabricated for both machines. In Wilson’s case, a piece of malware known as NetWire added 32 files to a folder on the computer’s hard drive, including a letter in which Wilson appeared to conspire with a banned Maoist group to assassinate Indian Prime Minister Narendra Modi. The letter was actually created with a version of Microsoft Word that Wilson never used and that wasn’t even installed on his computer. Arsenal also found that Wilson’s computer had been hacked to install NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which had itself been compromised by the same hackers. “This is one of the most serious cases involving the tampering of evidence that Arsenal has ever encountered,” Arsenal president Mark Spencer wrote in his report to the Indian court.

In February, SentinelOne published a detailed report on Modified Elephant, analyzing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence fabrication analyzed by Arsenal were part of a much larger pattern: the hackers had have targeted hundreds of activists, journalists, academics and lawyers with phishing emails and malware since 2012. But in that report, SentinelOne stopped short of identifying any individual or organization behind the Modified Elephant hackers, writing only that “the activity is in line with the interests of the Indian state.”

Leave a Reply

Your email address will not be published. Required fields are marked *