Reports by a digital forensics consulting company named Arsenal Consulting reveal that malware was used to surveil and plant evidence on the computers of two of the accused in the Bhima Koregaon case. In this post, we look at these reports closely to provide an informed basis for commentary on digital evidence, forensics, and ongoing conversations on the use of malware such as Pegasus.
What is the Bhima Koregaon case?
The Bhima Koregaon case relates to the violence that took place on January 1, 2018 at the annual celebrations held in its namesake village to commemorate the Battle of Bhima Koregaon in which the predominantly Dalit British army defeated the Peshwa army, led by Peshwa Bajirao II. However, the celebrations taking place in 2018 were larger than usual to mark the 200th anniversary of the battle. Tensions in the area had started simmering on December 29, 2017, the day Govind Gopal Mahar's memorial was found desecrated as a result of ongoing issues between the Dalit and Maratha communities in the region. The incident found mention in the Elgar Parishad, a big public conference organised by Dalit and Bahujan groups on December 31, 2017. As a result, on January 1, the historically peaceful event turned violent which led to one person from the Maratha community being killed and several others being injured. A few months later, however, the police suddenly claimed the violence was provoked by activists and human rights lawyers, some of whom had attended the Elgar Parishad programme.
The activists and human rights lawyers who were arrested by the Police in connection to case are collectively referred to as the BK-16 and include: academics Anand Teltumbde, Shoma Sen and Hany Babu; Adivasi rights activists Stan Swamy and Mahesh Raut; poets Varavara Rao and Sudhir Dhawale; lawyers Surendra Gadling and Sudha Bharadwaj; writer-researcher Gautam Navlakha, activists Rona Wilson, Arun Ferreira and Vernon Gonsalves, and members of the cultural group, Kabir Kala Manch: Sagar Gorkhe, Ramesh Ghaichor and Jyoti Jagtap.
How does it link to the Arsenal reports?
In spite of the court’s refusal to issue a search warrant, the Pune police on April 17, 2018, raided the Nagpur house of lawyer Surendra Gadling and the Delhi and Mumbai residences, respectively, of activists Rona Wilson and Sudhir Dhawle and confiscated their computers, hard drives, portable drives, personal DVDs of wedding and birthday parties. In the computer seized from Wilson, the police alleged to have found files which included details about purported meetings of Maoist militants, alleged correspondence with Maoist leaders, and money received by the Communist Party of India (Maoist) as well as letters detailing a plot to assassinate Prime Minister Narendra Modi.
In this post, we will be analysing the findings of reports submitted to the Court of the Special Judge notified under National Investigation Agency Act by Arsenal Consulting, which is a digital forensics consulting company founded in 2009, that analysed the electronic evidence seized from Rona Wilson and Surendra Gadling.
What did the reports reveal?
The reports relate specifically to two of the accused, Rona Wilson (Reports 1 & 2) and Surendra Gadling (Report 3). While the reports themselves are fairly technical, below we have distilled the crux of the reports which is helpful for our analysis.
- According to the reports, both Rona Wilson’s and Surendra Gadling’s computers were compromised for 22 and 20 months respectively.
- The primary goals of the attacker were surveillance and incriminating document delivery.
- Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to attack the co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well.
- The attack was carried out through NetWire, which is a commercially available malware. It is a remote access trojan, or RAT, which gives control of the infected system to an attacker.
- Arsenal developed internal tools during the course of their analysis which allowed them to search for and decrypt NetWire logs anywhere on Mr. Wilson’s computer. NetWire logs are files used for surveillance purposes and contain keystrokes and other information related to the victim. Arsenal was able to recover a combination of complete and partial NetWire logs from 57 particular days between late 2016 and April 17, 2018, the day Mr. Wilson’s computer was seized by the Pune police. The activity captured in these logs included Mr. Wilson browsing websites, submitting passwords, composing emails, and editing documents.
- Arsenal has found no evidence which would suggest that the top ten most important documents used in the prosecution against Mr. Wilson (“the top ten documents”) were ever interacted with in any legitimate way on Mr. Wilson’s computer. Arsenal has found no evidence which would suggest that any of the additional files of interest were ever interacted with in any legitimate way on Mr. Wilson’s computer, and can confirm that 22 of the 24 files were delivered to a hidden folder on Mr. Wilson’s computer by NetWire and not by other means.
- More particularly, there is no evidence which would suggest any of the top ten documents, or the hidden folder they were contained in, were ever opened. One method that can be used to assist in determining whether a particular document has ever been opened on a particular computer is to review the NTFS file system’s “object identifier” (a/k/a $OBJECT_ID) attributes for that document. Object identifiers are normally assigned to documents when they are either created or first opened. In this case, none of the top ten documents have object identifiers.
- Arsenal found and decrypted partial NetWire logs from Mr. Gadling’s computer which covered 55 particular days between March 5, 2016 and October 22, 2017. Arsenal has found no evidence which would suggest that the 14 important documents were ever interacted with in any legitimate way on Mr. Gadling’s computer, either in their original location on the tertiary volume or in their current location on the Windows volume.
- Arsenal, in their report, has indicated that this is one of the most serious cases involving evidence tampering that they have ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents on multiple defendants’ computers.
Are Indian investigation agencies and laws equipped to handle such surveillance attacks?
While alarming on their own, these revelations about people associated with the BK-16 case being surveilled are not new. Reports, going as far back as 2019, revealed that NSO Group’s spyware Pegasus, which has been in the news recently as well, was used on the lawyers representing some of the BK-16 according to the University of Toronto’s Citizen Lab. Thus, it is important to not only look at this case in light of the facts uncovered related to digital surveillance, but also to understand whether Indian citizens are protected under the current legal framework against such attacks.
As has become clear, NetWire and Pegasus were used in the BK-16 case to surveil the accused and individuals related to them, such as Nihalsing Rathod who represents Mr. Gadling, as well as to plant incriminating evidence. In this situation, it is important for us to know whether Indian investigation agencies, such as the NIA which is in charge of the BK-16 investigation, are cognisant of this new functionality that has been developed and whether they are equipped to uncover it so as to not be misled. The reports from Arsenal Consulting, which have led to the present revelations, were commissioned by the defence, and we do not know whether the NIA has conducted its own independent investigation in light of the reports. Currently, all that the NIA has said about these reports is that they could be taken up during the trial but they could not be a ground for seeking quashing of the chargesheet against Rona Wilson.
Such hacking of computer resources, including mobile phones and applications, is a criminal offence under the Information Technology Act, 2000 and it is only through such hacking that the NetWire or Pegasus spyware can be used against a person. However, the Indian government has failed to sufficiently respond to these damning reports unlike their counterparts abroad, where investigations into the use of such spyware against individuals have been launched. Since it has been ascertained that individuals in the country are being maliciously targeted through such spyware in addition to evidence being fabricated, it is imperative that the Government take steps to ensure that the privacy and security of Indian citizens is maintained.
This revelation reveals an urgent need for surveillance reform to protect citizens against the use of such invasive technologies which hamper their fundamental right to privacy and threatens the democratic ideals of our country. Use of such surveillance technology on human rights defenders stops them from working with vulnerable people, some of whom may have been victimised by their own government, without opening them up to further abuse. While it seems unlikely that any stringent measures will be taken, we all share a collective responsibility to first become aware of the increasing use of malware and advocate that any such reported infections be investigated seriously. IFF is committed towards advancing surveillance reform and prohibitions on the use of malware.
- Reports submitted by Arsenal Consulting in the matter of National Investigating Agency v. Sudhir Pralhad Dhawale & others (link)
- IFF’s work relating to NSO Group’s spyware Pegasus (link)
- “Explainer: Arsenal Report on Surendra Gadling” published in The Leaflet dated July 7, 2021 (link)