Bhima Koregaon: New forensic evidence confirm documents were planted in activist’s laptop, say reports

A new forensic analysis by Arsenal Consulting, a Massachusetts-based digital forensics firm, has found that a hacker had planted more than 30 documents in a laptop belonging to activist Rona Wilson, just days after violence had broken out in Maharashtra’s Bhima-Koregaon town in January 2018, to incriminate him in the incident, said a report by The Washington Post.

These files were cited by the Pune Police and the National Investigation Agency in 2018 as evidence against Wilson, lawyers Sudha Bharadwaj, Surendra Gadling, activists Arun Ferreira, Gautam Navlakha, Sudhir Dhawale, Shoma Sen, Mahesh Raut, Jesuit priest Stan Swany, HanybabuTarayil, a professor of linguistics at the Department of English at Delhi University, Anand Teltumbde, a professor of the Goa Institute of Management and poet Varavara Rao, who is out on bail.

All the others have been jailed without trial or bail for almost three years on charges of conspiring against the Indian state. These activists have been accused of working with a banned Maoist militant group that has waged insurgency against the State for decades.

In February, The Washington Post had reported about another analysis by the same firm which had found that 10 letters had been planted on Wilson’s laptop, including one that discussed an alleged plot to assassinate Modi.

The latest report by Arsenal finds that 22 additional documents were also inserted into the computer by the same unidentified hacker. Arsenal analysed an electronic copy of Wilson’s computer on a request from his lawyers, who got it from the police in November 2019 after court orders.

In February, after the first forensic reports were published, Wilson’s lawyers submitted the first report to a court in Mumbai and urged the judges to dismiss the charges against their client. The court is expected to hold a hearing on the petition.

According to The Washington Post report, a spokeswoman for the National Investigation Agency (NIA), Jaya Roy, said an analysis by a government forensic laboratory did not indicate that the laptop had been compromised by malware. She did not provide details on how the laboratory reached that conclusion. “Our investigation is complete,” Roy said. The NIA cannot revisit “any evidence based on a private lab’s report,” reported The Washington Post.

In February too, the NIA had indirectly discredited Arsenal’s first report in a statement released by them. “The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts. In this case, it was done by the Regional Forensic Science Laboratory in Pune. According to their report no such malware was found,” said Roy. “Rest all (sic) is distortion of facts.”

The latest report shows that 22 additional documents placed in a hidden folder on Wilson’s computer include details of purported meetings of Maoist militants, alleged correspondence with Maoist leaders and details of funds received by the banned group.

Two other files were stored in a folder on the Windows drive of the laptop. Unlike the other 22 files, Arsenal could not confirm they were delivered specifically by NetWire. The files were never created, or used by anyone who used Wilson’s computer, but the hacker used a software to plant them, reported The Washington Post.

NetWire is a commercially available form of malware. Arsenal’s forensic report found that the hacker used this malware to compromise Wilson’s laptop for nearly two years starting in 2016. The same attacker also targeted Wilson’s co-defendants, Arsenal said.

Eight people seeking to help the activists, too, received emails with malicious links that deployed NetWire.

This second report detailed how this remote-access electronic Trojan horse was used to deliver multiple files to Wilson’s laptop, in addition to those mentioned in the first report, later used by investigators to incriminate him and others.

The process tree for a document titled ‘mohila meeting’ showed NetWire being launched automatically on 11 January 2018, 11 days after the Bhima-Koregaon violence, at 5:04 pm after a login.

The attacker opened a command prompt and unpacked three files between 5:10 and 5:12 pm — one of which contained “mohila meeting jan.pdf”. These files were then unpacked into a hidden folder using a temporarily deployed UnRAR, a file archiver like WinZip, renamed to “Adobe.exe”.

The report explained how the attacker erred while writing the command to plant a file, and subsequently corrected it. “It is rare to see an attacker make mistakes, so any mistake is very interesting to us,” Mark Spencer, Arsenal’s president told news website Article 14, which has also reported on the issue.

Several of the same domain names and Internet protocol addresses were used to target both the activists and their associates. Most of the IP addresses are assigned to HostSailor, a web-hosting and virtual private server company based in United Arab Emirates. They had refused to comment when The Washington Post had reached out.

The case against the 16 activists centres around an event, Elgaar Parishad, held on December 31, 2017, in Bhima-Koregaon to commemorate the 200th anniversary of the victory of a largely Dalit-staffed British army over the upper-caste Peshwa army. Targeted violence broke out after the event as Dalits clashed with Hindutva goons who were annoyed by the Dalit celebration.