“We generally don’t tell people who targeted them, but I’m kind of tired of watching... These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right," an unnamed security analyst told American magazine WIRED.
The analyst is employed by an email provider which WIRED had contacted as part of their investigation into the alleged compromising of the devices owned by the accused in the Bhima Koregaon case.
While the accused in the case continue to languish in jails, barring rare exceptions who have somehow managed to get bail and Father Stan Swamy who died awaiting the same, a spate of independent investigations suggest that the purported evidence used to keep the accused behind bars may have just been corrupt.
Most recently, the investigative report by WIRED goes on to point towards Pune Police's purported involvement in fabrication of evidence in the case. As per this report, researchers have revealed ties between those who had allegedly hacked into the systems used by the accused prior to their arrest, and "the very same Indian police agency in the city of Pune that arrested multiple activists (in the Bhima Koregaon case)".
Cybersecurity firm SentinelOne had reportedly learned that three of the email accounts compromised by hackers in 2018 and 2019 had a recovery email address and phone number. These accounts belonged to Rona Wilson, Varavara Rao and Hany Babu.
In Wilson’s case, a piece of malware called NetWire had added 32 files to a folder of the computer’s hard drive. According to a prior probe by American digital forensic investigating firm Arsenal Consulting, his computer was compromised by the NetWire malware after he opened an attachment sent from (since) co-accused Varavara Rao's email account.
These files added to Wilson's computer included a letter – created with a version of Microsoft Word that Wilson had never used and which had not even been installed in his computer – in which Wilson seems to be conspiring with a banned Maoist group to assassinate Prime Minister Narendra Modi.
In February, SentinelOne published a report with the findings that the two cases of evidence fabrication that Arsenal had analysed, were part of a much larger pattern, but SentinelOne had not gone on to identify any individual or organisation as responsible for the hackings.
How Was the Purported Pune Police Link Discovered?
Security researchers, part of WIRED's investigation, are believed to have found that recovery email on all three accounts included the full name of a police official in Pune.
The unnamed email provider reportedly found that the hacked accounts were accessed from IP addresses that SentinelOne and Amnesty International had previously identified in their investigations.
The email provider's security analyst told WIRED that Rona Wilson's email account had received a phishing email in April 2018, following which it seems to have been compromised by hackers using the same IP addresses. During this same period, the email and phone number linked to Pune City Police was allegedly added as recovery contacts in his account.
Wilson's account was thereby purportedly used to send out other phishing emails to other Bhima Koregaon accused before his arrest in June 2018.
John Scott-Railton, a security researcher at University of Toronto's Citizen Lab, perused open source databases, and reportedly found that the recovery phone number was linked to an email address ending with a suffix seen in other email addresses used by Pune Police.
Railton is also said to have discovered that the WhatsApp profile photo used in the recovery phone number was a selfie of a police official who had been previously spotted in police press conferences and one news photograph taken on Varavara Rao's arrest
Security researcher Zeeshan Aziz, reportedly found for WIRED that the recovery email address and phone number tied to the police official's name in a leaked database of TrueCaller, and also his phone number linked to his name in the leaked database of a job recruitment website. Finally, the recovery phone number was also found in several archived web directories for Indian police
Background Information on the Case
The Pune Police were initially in charge of the investigation into the Bhima Koregaon violence. Claiming to have ‘secret information’ from ‘secret sources that Wilson, an academic and activist, and lawyer-activist Surendra Gadling, were also involved in the plot, the police went on to carry out raids on the houses of the accused on 17 April 2018.
In these raids, they seized electronic devices belonging to several of them, including Wilson.
The police put out claims soon after that they had found incriminating documents on these computers, including the alleged letter from Wilson about a plot to assassinate Prime Minister Narendra Modi.
Rona Wilson was among the first batch of five people arrested in connection with these claims of Maoist conspiracies in June 2018.
These claims eventually found their way into the first charge sheet filed against several of the accused on 15 November 2018. The charge sheet involved accusations of offences under the draconian Unlawful Activities (Prevention) Act, that is, the UAPA.
After the Shiv Sena-Nationalist Congress Party-Congress government came to power in late 2019, the case was abruptly transferred to the National Investigation Agency (NIA), which continued to proceed based on the original investigation of the Pune Police, and added to the original charge sheets.
Following Arsenal Consulting confirmation in 2021 that Wilson’s phone was attacked multiple times by the Pegasus spyware, he had moved the Bombay High Court challenging his prosecution under the draconian UAPA. However, he is still lodged in the Taloja Central Jail, awaiting trial, and the Bombay High Court had on 4 May dismissed his petition seeking review of an earlier order which had dismissed his appeal for default bail.
(As per WIRED, they made several attempts to contact Pune City Police and the police official in question, but to no avail. The Quint has not been able to independently verify any of the information reported by them.)