Security researchers have revealed links between the hacking attempts that planted fabricated evidence on multiple activists' computers, and the Pune police.
Researchers have revealed links between hacking attempts on human rights activists and an Indian police department.
A report by WIRED magazine explained how researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International had connected fabricated evidence to a broader hacking operation that targeted scores of individuals over a decade using phishing emails and smartphone hacking tools sold by the Israeli contractor NSO Group.
A year ago, forensic firm Arsenal Consulting concluded that two activists, Rona Wilson and Surendra Gadling, who were jailed in 2018 for allegedly plotting an insurgency against the Indian government, were both victims of a hacker who planted "evidence" on their computers.
Arsenal’s analysis strongly suggested that Gadling and Wilson were not the only victims.
Now, SentinelOne’s researchers unearthed ties between those hackers and a police agency in the city of Pune, the same agency that arrested activists based on fabricated evidence.
“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” Juan Andres Guerrero-Saade, a security researcher at SentinelOne, told WIRED.
“This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in hopes of helping these victims.”
Sentinel claims evidence links the Pune police to the hacking of email accounts of activists Wilson, Varavara Rao, and Delhi University professor Hany Babu. This is the first time that the state’s involvement has been directly established in the case.
Sentinel’s findings specifically link Pune police to a long-running hacking campaign they call ‘Modified Elephant’. The revelations come from working with an unnamed email service provider that passed on crucial data that allowed them to forge a link to Indian law enforcement.
The research organisation points out that three of the victim email accounts (Wilson, Rao and Babu) compromised by hackers in 2018 and 2019 had a recovery email address and phone number added as a backup (to allow hackers to easily regain control of the accounts if the passwords were changed).
According to WIRED, the email address “included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case”.
Wilson’s email account was then used to send out other phishing emails to targets in the Bhima Koregaon case for at least two months before Wilson was arrested in June 2018.
The Bhima Koregaon 16 group, named after the village where caste violence broke out in 2018 resulted in the arrests and jailing of 16 activists, who were charged under the Unlawful Activities Prevention Act (UAPA) for alleged links to banned Maoist groups and for being involved in a conspiracy to assassinate Indian Prime Minister Narendra Modi.
One of them, 84-year-old Jesuit priest Stan Swamy, died in jail last year from Covid-19. Rao, who is 81 years old, is in poor health and has been released on medical bail until next month.
In February, SentinelOne released a report on Modified Elephant, analysing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence fabrication Arsenal reviewed were part of a larger pattern, and that hackers targeted hundreds of activists, journalists, academics, and lawyers with phishing attacks and malware since 2012.
However, that report stopped short of identifying anyone behind the Modified Elephant hackers, writing that the “activity aligns sharply with Indian state interests.”
“We generally don’t tell people who targeted them, but I’m kind of tired of watching shit burn,” the security analyst at the email provider told WIRED regarding their decision to reveal the identifying evidence from the hacked accounts.
“These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.”
Mihir Desai, a Mumbai-based defence attorney representing several of the Bhima Koregaon 16, said he is hopeful that the new evidence can help his clients like Anand Teltumbde, who has been accused of terrorist connections partly based on a fabricated document on Wilson’s computer.
“By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence,” Desai said.
Guerrero-Saade argues that it also raises questions about the validity of evidence pulled from a computer hacked by a law enforcement surveillance operation.
“What does it mean to have evidentiary integrity when you have a compromised device? What does it mean for somebody to hack a device for fact-finding in a law enforcement operation when they can also alter the contents of a device in question?” he said.
Pune City Police and the Pune police official whose details were linked to the hacked accounts did not respond to WIRED’s request for comment.