police forces all around the world has increasingly used hacking tools to identify and track protesters, reveal the secrets of political dissidents, and turn activists’ computers and phones into inevitable eavesdropping errors. Now, new clues in a case in India link law enforcement with a hacking campaign that used these tools to go a shaky step further: planting fake incriminating files on target computers, which the same police then used as a reason to arrest and imprison them.
More than a year ago, forensic scientists revealed that unidentified hackers produced evidence on computers of at least two activists arrested in Pune, India, in 2018, both of whom have been jailed and along with 13 others face terror charges. Researchers at the security firm SentinelOne and the nonprofit Citizen Lab and Amnesty International have since linked this fabrication of evidence with a broader hacking operation targeting hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware. as well as smartphone hacking tools that were sold. by the Israeli hacking entrepreneur NSO Group. But only now have SentinelOne’s researchers revealed links between the hackers and a government entity: none other than the very Indian police agency in the city of Pune, which arrested several activists based on the fabricated evidence.
“There is a proven link between the people who arrested these people and the people who planted the evidence,” said Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with co-researcher Tom Hegel, will present results at the Black Hat Security Office. conference in August. “This is beyond ethically compromised. It’s more than emotional. So we try to present as much data as we can, hoping to help these victims.”
SentinelOne’s new findings, which connect Pune City Police with the long-running hacking campaign that the company has called Modified Elephant, focus on two specific goals of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called Bhima Koregaon 16, named after the village where violence between Hindus and Dalits – the group once known as “immovable” – erupted earlier that year. (One of the 16 accused, 84-year-old Jesuit priest Stan Swamy, died in prison last year after contracting Covid-19. Rao, 81, in poor health, has been released on medical bail, which expires next time month. Of the other 14, only one has received a guarantee.)
Early last year, Arsenal Consulting, a digital forensic firm working on behalf of the defendants, analyzed the contents of Wilson’s laptop along with the contents of another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that evidence had clearly been produced on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder on the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian Prime Minister Narendra Modi. The letter was actually made with a version of Microsoft Word that Wilson had never used and that had never even been installed on his computer. Arsenal also found out that Wilson’s computer had been hacked to install the NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which itself had been compromised by the same hackers. “This is one of the most serious cases involving tampering with evidence that Arsenal has ever encountered,” Arsenal president Mark Spencer wrote in his report to the Indian court.
In February, SentinelOne released one detailed report on Modified Elephantby analyzing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence-making Arsenal had analyzed were part of a much larger pattern: the hackers had targeted hundreds of activists, journalists, academics and lawyers with phishing scams. emails and malware since as early as 2012. But in that report, SentinelOne stopped identifying any individual or organization behind the Modified Elephant hackers, writing only that “the activity is sharply in line with Indian state interests.”