A new report by a United States-based digital forensics firm on Tuesday has revealed that advocate Surendra Gadling’s computer was hacked to plant evidence in connection with the Bhima Koregaon violence case, The Washington Post reported.

In February, Arsenal Consulting found that activist Rona Wilson’s computer was hacked using malicious software to plant 10 letters, which the Pune Police and the National Investigation Agency used as primary evidence in the chargesheet they filed in the Bhima Koregaon case. A follow-up report by the Massachusetts-based digital forensics firm in April revealed further evidence that 22 incriminating letters were planted in Wilson’s laptop.

Both Gadling and Wilson were arrested in 2018. Arsenal Consulting examined electronic copies of their computers, as well as email accounts, based on a request from their lawyers. Wilson moved the Bombay High Court on February 10, seeking the formation of a Special Investigation Team to inquire into the matter as the primary electronic evidence was fabricated. The case is pending before the court.

In Gadling’s case, the 53-year-old’s device was infected with NetWire, a commercially available form of malware, for nearly two years before his arrest, Arsenal Consulting said.

Lawyer Mihir Desai, representing those arrested and jailed without bail in the case, told The Washington Post that the latest analysis will go “a long way in exonerating the accused and destroying the prosecution’s case”.

In the April report, the firm had said the hacker opened a command prompt to deliver the documents to a hidden folder on Wilson’s laptop. These files included details of purported meetings of Maoist militants, alleged correspondence with Maoist leaders and information of money received by the Communist Party of India (Maoist).

In Tuesday’s report, more information emerged of the methodology used to target Gadling and Wilson’s computers. Arsenal Consulting said that in both these cases, the attacker deployed an identical piece of malware to communicate with the same server. Both of them were also targeted via email.

In July 2017, the forensics firm said that the attacker was active on the two computers within a span of 20 minutes. This was also when the document about the Maoist group’s funding was planted in Gadling and Wilson’s computers, according to Arsenal Consulting.

Before this, a malware-laden email was sent to Gadling in February 2016. It was addressed to 14 recipients, including two others who later became co-defendants in the case. One of them was 84-year-old tribal rights activist Stan Swamy, who died on Monday at a hospital in Mumbai.

Those who opened the mail would have automatically installed malware capable of monitoring and controlling their computers, according to The Washington Post.

Citing this, experts said the information in Arsenal’s report shows an extensive and coordinated malware campaign that targeted and even possibly compromised devices of others arrested on charges of conspiring against the Indian government in the case.

“There’s clearly a larger set of activity here,” said Juan Andres Guerrero-Saade, a principal threat researcher at cybersecurity firm SentinelOne. He added that computers of Gadling and Wilson “aren’t the only machines being compromised by this threat actor”.

While three experts on malware and digital forensics in North America told The Washington Post that the conclusions by Arsenal were “sound”, another said there was “no question” that the same attacker targeted Gadling and Wilson’s computers.

Several activists and academics have been accused of making inflammatory speeches at the Elgar Parishad conclave held at Shaniwar Wada in Pune on December 31, 2017, which the authorities claim triggered violence at Bhima-Koregaon war memorial the next day.


Also read: Why isn’t the government looking for the source of ‘Modi assassination’ malware on Rona Wilson’s PC?