Key evidence against a group of activists and intellectuals, who have been arrested in the Bhima Koregaon case, was planted using a malware on a laptop seized by police, a new forensics report has found, The Washington Post reported.

The report by Arsenal Consulting, a United States digital forensics firm, found that an attacker used malware to infiltrate a laptop belonging to activist Rona Wilson before his arrest and deposited at least 10 incriminating letters on his computer. The Pune Police used letters it found on the laptop as its primary evidence in the chargesheet they filed in the Bhima Koregaon case.

Among these was a letter that the police claimed Wilson had written to a Maoist militant, discussing the need for guns and ammunition as part of an intricate Maoist conspiracy, and even urging the banned group to assassinate Prime Minister Narendra Modi. The report found the letters had been planted in a hidden folder on Wilson’s laptop.

The report did not identify the perpetrator of the cyberattack, but it noted that Wilson was not the only victim. The same attacker deployed some of the same servers and IP addresses to target other accused in the case over a period of four years, it stated. The accused in other “high-profile Indian cases” were also targeted, the report said.

Wilson’s laptop was compromised “for just over 22 months”, the report said, adding that the attacker’s primary goals were “surveillance and incriminating document delivery”.

“This is one of the most serious cases involving evidence tampering that Arsenal has ever encountered,” the report said, citing the vast time span between the time the laptop was first compromised and the moment the attacker planted the last incriminating document.

Arsenal had examined an electronic copy of the laptop at the request of Wilson’s lawyers. On Wednesday, Wilson’s lawyers included the report in a petition filed in the Bombay High Court, urging judges to dismiss the case against their client.

Sudeep Pasbola, a lawyer representing Wilson, told The Washington Post that the Arsenal report proved his client’s innocence and “destabilizes” the prosecution case against the activists.

Mark Spencer, president of Arsenal Consulting, said in a statement released on Twitter that his team has worked “relentlessly” on the “massive volume of electronic data” given to them in the Bhima Koregaon case. “I believe we have set an extremely high bar for the practice of digital forensics in the future,” the statement said. “There have been times during my team’s analysis that I have been in awe of their ability to succeed where others have failed.”

How it happened

The Arsenal report said that Wilson’s laptop was compromised in June 2016, after a series of suspicious emails from someone using Telugu activist and co-accused Varavara Rao’s account. During the course of the conversation, the person using Rao’s account made multiple attempts to get Wilson to open a particular document, which was a link to download a statement from a civil liberties group.

When Wilson complied, the link deployed NetWire, a commercially available form of malicious software that allowed a hacker remote access to Wilson’s device, which can then be used to plant files on a system, the report said. Arsenal discovered records of the malware logging Wilson’s keystrokes, passwords and browsing activity.

It also recovered file system information showing the attacker creating the hidden folder to which at least 10 incriminating letters were planted. The letters were created using a newer version of Microsoft Word that did not exist on Wilson’s computer, the cyber-forensic examination revealed.

Additionally, Arsenal said it found no evidence that the documents or the hidden folder were ever opened.

The digital forensics firm said that ever since it found out about the malware, it had contacted many of the organisations whose services were abused by the same attacker who hijacked Wilson’s computer.

While many of the organisations Arsenal contacted have understood the gravity of the situation and were helpful, others have adopted a variety of cowardly “duck and cover” strategies, the report added.

Also read:

  1. 13 letters leaked by Pune police show why it’s hard to believe claims about a Maoist conspiracy
  2. Bhima Koregaon: Spyware attacks on rights defenders show continuing attempt to fix case

The Bhima Koregaon case

Several activists and academics have been accused of making inflammatory speeches at the Elgar Parishad conclave held at Shaniwar Wada in Pune on December 31, 2017, which the authorities claim triggered violence at Bhima-Koregaon war memorial the next day. One person was killed and several others were injured in the incident.

The first chargesheet was filed by the Pune Police in November 2018, which ran to over 5,000 pages. It had named activists Sudhir Dhawale, Rona Wilson, Surendra Gadling, Shoma Sen, Mahesh Raut, all of whom were arrested in June 2018. The police had claimed that those arrested had “active links” with the banned Communist Party of India (Maoist), and accused activists of plotting to kill Prime Minister Narendra Modi.

A supplementary chargesheet was filed later in February 2019, against human rights activists Sudha Bharadwaj, Varavara Rao, Arun Ferreira, Vernon Gonsalves and banned Communist Party of India (Maoist) leader Ganapathy. The accused were charged with “waging war against the nation” and spreading the ideology of the CPI (Maoist), besides creating caste conflicts and hatred in the society.

The Centre transferred the case to the National Investigation Agency in January 2020 after the Bharatiya Janata Party government in Maharashtra, led by Devendra Fadnavis, was defeated.