More than a dozen activists, academics and lawyers have been imprisoned under an anti-terrorism law – some for more than four years – accused of links to a banned Maoist armed group that aims to overthrow the government. They deny the allegations. The strict terrorism law has drawn criticism in part because the accused can rarely be granted bail and cases brought under the law have a low conviction rate.
In 2021, The Washington Post reported that devices belonging to at least two defendants in the case had been compromised by hackers who deposited dozens of incriminating documents in the devices. This malware campaign targeted individuals other than those charged in the case.
Separately, the Pegasus Project investigation by The Post and 16 other news organizations revealed that some of the defendants were included on a list of spyware surveillance targets provided to governments or their agencies by the Israeli company NSO Group. The Indian government has neither confirmed nor denied that it is an NSO customer. In June, Wired reported links between the hacking campaign and the Indian police, which did not respond to the report.
The new findings shed more light on a case that continues to grip the nation. Civil society groups say it is a chilling example of the persecution of human rights defenders under Prime Minister Narendra Modi’s government.
Swamy, bespectacled and lanky, defended the rights of tribal youths in Central India accused of being Maoists – before police charged him with the same crime.
According to Arsenal’s latest report, Swamy was the target of an extensive malware campaign for nearly five years, the longest known to any of the defendants, until his device was seized by police in June 2019. During that time, the hacker gained full access and control over his computer and dropped dozens of files into a hidden folder without his knowledge.
Arsenal did its job at the request of the group’s defense team.
These documents – alleged letters between the defendants and the Maoist group – are being cited by police as evidence against Swamy and others in what is known as the Bhima Koregaon case. International human rights organizations, including United Nations experts, have previously called on the Indian government to release the defendants, at least on bail, given their advanced age and poor health.
The National Investigation Agency, the prosecuting authority in the case, did not respond to requests for comment.
Arsenal’s findings “clear up” Swamy’s name, his friend Father Joseph Xavier said. He said the report proves that Swamy was “systematically attacked and framed for raising his voice for the [tribals], which harms the interests of the state.” A plea to drop the charges against the defendants based on Arsenal’s initial report is pending in the courts.
Two experts in malware and digital forensics reviewed the report at the request of The Post and said its conclusions were sound.
Arsenal’s report is “really convincing” and there is “solid evidence” that Swamy’s computer was infected with malware and that an operator pushed incriminating files to the system, said Robert Jan Mora, a digital forensics expert at Volexity, a cybersecurity firm based in the DC area, who reviewed the report. He added that Arsenal should publish in more detail how NetWire malware left traces, which could benefit others in the field.
Alessandro Di Carlo, director of forensics at Certego, an Italian cybersecurity company, said the analysis is “thorough and comprehensive”.
Arsenal’s new report says that as of October 2014, Swamy’s laptop was infected with NetWire, a commercially available malware that can upload and download files from a target’s computer, log keystrokes, and access emails and passwords .
The unidentified hacker in Swamy’s case is the same person who was targeted by Swamy’s co-defendants, activist Rona Wilson and attorney Surendra Gadling, given their use of the same command and control servers and the same NetWire configurations, including the hacker’s passwords, the hacker said. Arsenal.
The hacker used WinSCP, a free and open-source file transfer tool for Windows, to copy more than 24,000 files and folders from Swamy’s computer and removable storage devices to the hacker’s own server, the report said.
According to Arsenal, the hacker first uploaded documents to Swamy’s computer in July 2017 and continued to do so for two years. The documents were never opened and Swamy never acted upon them, the report says.
“I’ve never seen this amount of evidence before,” said Mora, who has conducted malware forensics in high-profile breach investigations and security assessments for governments. “It’s unbelievable.”
On the night of June 11, 2019, hours before Swamy’s computer was seized by police, the hacker performed an extensive “cleanup” of their operations, which included removing malware and surveillance data and creating a distraction through a large number of files to copy to the computer. folders that were maliciously used before cleaning.
Arsenal president Mark Spencer called that activity “extremely suspicious” given the imminent seizure of the device.
In the report, Arsenal shares screenshots of the raw data recovered from Swamy’s computer that reveal the hacker’s activities, including the command used to delete the folder that stored tens of thousands of files from Swamy’s computer before being transferred to the server. transferred.
Last May, Swamy, who suffered from Parkinson’s disease, appealed to the court for medical bail, saying his bodily functions were “steadily” deteriorating.
India’s counter-terrorism agency opposed his bail application, saying the medical documents he cited were not conclusive evidence of a serious condition and that the allegation of trumped-up evidence was an attempt to “confuse truth with falsehood”.
His death caused a furore in India, with opposition parties, civil society groups and citizens calling for accountability.
Xavier, Swamy’s boyfriend of 20 years, said: “Stan stood for justice and paid a price for it.”
