Police forces around the world have increasingly used hacking tools to identify and track protesters, expose the secrets of political dissidents and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new leads in a case in India link law enforcement officers to a hacking campaign that used these tools to take a horrific step: placing false incriminating files on the computers of targets the same police then used as the reason to arrest and detain them. Close.
More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in 2018 in Pune, India. Researchers from security firm SentinelOne and nonprofits Citizen Lab and Amnesty International have since linked that evidence to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware. , as well as sold smartphone hacking tools. by Israeli hacking contractor NSO Group. But only now, SentinelOne investigators have revealed links between the hackers and a government agency: none other than the same Indian police station in the city of Pune that arrested several activists based on the fabricated evidence.
“There is a demonstrable link between the individuals who arrested these people and the individuals who planted the evidence,” said Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security service. conference in August. “This is more than ethically compromised. It’s more than insensitive. So we’re trying to put as much data forward as possible in hopes of helping these victims.”
SentinelOne’s new findings linking Pune police to the long-running hacking campaign, which the company has dubbed Modified Elephant, focuses on two specific targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named after the village where violence broke out earlier that year between Hindus and Dalits – the group once known as ‘untouchables’. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in prison last year after contracting COVID-19. Rao, who is 81 years old and in ill health, has been released on medical bail, who will be released later. expires month. Of the other 14, only one has been released on bail.)
Early last year, Arsenal Consulting, a digital forensics firm working for the suspects, analyzed the contents of Wilson’s laptop, along with those of another suspect, human rights lawyer Surendra Gadling. Arsenal analysts found clear evidence fabricated on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder on the computer’s hard drive, including a letter in which Wilson appeared to be working with a banned Maoist group to assassinate Indian Prime Minister Narendra Modi. . The letter was, in fact, created using a version of Microsoft Word that Wilson had never used, and was never even installed on his computer. Arsenal also discovered that Wilson’s computer had been hacked to install the NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which had itself been hacked by the same hackers. “This is one of the most serious cases of evidence manipulation Arsenal has ever encountered,” Arsenal president Mark Spencer wrote in his report to the Indian court.