Malware Used to Plant Evidence in Bhima Koregaon Accused’s Laptop?

US-based digital forensic firm finds that documents were planted on Rona Wilson’s laptop using NetWire malware.

Updated
India
3 min read
Surendra Gadling, Shoma Sen and Rona Wilson, activists arrested and detained under the UAPA.
i

A US-based digital forensics firm has submitted a report to a special NIA court hearing which states that the computer of Bhima Koregaon case accused Rona Wilson was compromised by a malware attack for nearly two years preceding his arrest in June 2018.

According to the report by Arsenal Consulting,

“The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery. Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well.”

The news of this report, which was requested from the forensics firm by Wilson’s lawyers, was broken by the Washington Post on Wednesday, 10 February, who have also posted the full report for public viewing online.

The newspaper notes that the malware was used to deposit at least 10 incriminating letters on Wilson’s computer, based on Arsenal Consulting’s examination of an electronic copy of the laptop.

Wilson was one of the first set of activists and academics to be arrested in the Bhima Koregaon case back in June 2018, and has been accused of conspiring with Maoist insurgents.

Key pieces of evidence cited by the Pune Police and (after they belatedly took over the case) the National Investigation Agency against the accused include several letters allegedly recovered from their computers. These include a letter allegedly written by Wilson in which he had talked about the guns needed by Maoist insurgents and a plot to carry out a “Rajiv Gandhi-style attack” – ie to assassinate Prime Minister Narendra Modi.

This report by the US forensic firm throws these allegations into doubt, as it agrees with an earlier analysis in 2019 by The Caravan, that certain documents appear to have been planted on WIlson’s computer using the malware.

“Arsenal has found no evidence which would suggest that the top ten most important documents used in the prosecution against Mr. Wilson (“the top ten documents”) were ever interacted with in any legitimate way on Mr. Wilson’s computer. More particularly, there is no evidence which would suggest any of the top ten documents, or the hidden folder they were contained in, were ever opened.”
Arsenal Consulting report at page 7

Arsenal Consulting noted that several of these documents were created using MS Word versions from 2010 and 2013, while the latest version of Word on Wilson’s computer was installed in 2007.

Following their analysis of the NetWire malware’s impact on a computer along with NTFS file system modeling, the firm found that “The incriminating documents were delivered to a hidden folder on Mr. Wilson’s computer by NetWire and not by other means.”

According to the report, Wilson’s computer was first compromised on 13 June 2016, when he was sent emails that appeared to be from fellow accused Varavara Rao, which suggested that he click on a link to download a document. Wilson opened the document at 6:18 pm on the day, which led to the installation of the NetWire malware on his computer.

The same attacker was found to have compromised Wilson’s computer multiple times from June 2016 to 17 April 2018, when Wilson and other accused persons’ homes were raided in connection with the case.

Three independent experts on malware and digital forensics contacted by the Washington Post reviewed the report and said the findings were sound. They also pointed to how this appeared to be part of a larger campaign of targeting these activists and people connected with them with Malware.

Amnesty International had reported that several people assisting the accused including their lawyers had been targeted using the NetWire malware in 2020, and several of the accused had been targeted using the infamous Pegasus malware as well in 2019.

The Washington Post reports that Sudeep Pasbola, one of the lawyers representing Wilson, has said that the Arsenal Consulting report proves Wilson’s innocence and “destablizes” the prosecution case against the activists. Wilson’s lawyers have also reportedly added the report to their filings in a petition to the Bombay High Court to dismiss the case.

NIA spokesperson Jaya Roy told the Washington Post that their forensic analysis of Wilson’s laptop showed no evidence of malware.

(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)

Published: 
Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!