[A previous analysis by Arsenal, which The Washington Post reported in February, found that 10 letters had been deposited on the laptop, including one that discussed an alleged plot to assassinate Modi. The latest report by Arsenal finds that 22 additional documents were also delivered to the computer by the same attacker.]
By Niha Masih and Joanna Slater
The report will heighten concerns
about the controversial prosecution of a group of government critics under
Prime Minister Narendra Modi.
Arsenal Consulting, a
Massachusetts-based digital forensics firm, examined an electronic copy of the
laptop at the request of defense lawyers. The Washington Post reviewed a copy of the report.
A previous analysis by
Arsenal, which
The Washington Post reported in February, found that 10 letters had been
deposited on the laptop, including one that discussed an alleged plot to
assassinate Modi. The latest report by Arsenal finds that 22 additional
documents were also delivered to the computer by the same attacker.
The documents — now totaling 32 —
have been cited by law enforcement as evidence against a group of activists
accused of working with a banned Maoist militant group that has waged a
decades-old insurgency against the Indian state.
Known as the Bhima Koregaon case,
the prosecution is considered a bellwether for the rule of law in India. Human rights groups and legal experts view the case as
an effort by the government to clamp down on critics.
The space for dissent
has diminished in Modi’s India, where journalists,
activists and members of nongovernmental organizations have faced arrest and harassment.
The activists accused in the case
deny the charges against them. They include a prominent academic, a labor lawyer, a leftist poet, a Jesuit priest and two
singers. All are advocates for the rights of the country’s most disadvantaged
communities and vocal opponents of the ruling party. Many of them have been
jailed for nearly three years as they await trial.
The two reports by Arsenal focus on
a laptop belonging to Rona Wilson, a Delhi-based activist. In February, lawyers
for Wilson submitted the first report to a court in Mumbai and urged the judges
to dismiss the charges against their client. The court is expected to hold a
hearing on the petition.
Jaya Roy, a spokeswoman for the
National Investigation Agency (NIA), the anti-terrorism authority overseeing
the case against the activists, said an analysis by a government forensic
laboratory did not indicate that the laptop had been compromised by malware.
She did not provide details on how the laboratory reached that conclusion.
“Our investigation is complete,”
Roy said. The NIA cannot revisit “any evidence based on a private lab’s
report.”
The Washington Post asked three
experts on malware and digital forensics in North America to review Arsenal’s
initial report, and they found its findings valid. A fourth expert reviewed
both reports and said the conclusions were sound.
In its latest report, Arsenal
includes data it recovered from the laptop showing the attacker typing commands
to deliver documents to a hidden folder. It’s the equivalent of a “videotape of
someone committing the crime,” said Mark Spencer, Arsenal’s president.
Arsenal has so far conducted its
work on the reports on a pro bono basis, Spencer said. Founded in 2009, Arsenal
performs computer forensic analysis for companies, law firms and government
agencies, and it has provided expert testimony in cases such as the Boston
Marathon bombing.
In the Indian case, an attacker
used NetWire, a commercially available form of malware, to compromise Wilson’s
laptop for nearly two years starting in 2016, Arsenal said.
The latest report shows that 22
additional documents were placed in a hidden folder on Wilson’s computer. They
include details of purported meetings of Maoist militants, alleged
correspondence with Maoist leaders and details of funds received by the banned
group.
Two other files were stored in a
folder on the Windows drive of the laptop. Unlike the other 22 files, Arsenal
could not confirm they were delivered specifically by NetWire. But it found no
evidence of any legitimate interaction with the documents and called their
location in an unrelated application folder “suspicious.”
Arsenal’s “step-by-step”
explanation of how the 22 documents were delivered is very clear and experts in
the field “would draw all the same conclusions” based on that data, said Kevin
Ripa, president of the Grayson Group of Companies and an expert in digital
forensics.
The compromising of Wilson’s
computer was just one element of a larger malware campaign. The same attacker
also targeted his co-defendants, Arsenal said. Eight people seeking to help the
activists, too, received emails with malicious links that deployed NetWire,
according to a report from Amnesty International.
Several of the same domain names
and Internet protocol addresses were used to target both the activists and their
associates.
Most of the IP addresses are
assigned to HostSailor, a web-hosting and virtual private server company
whose website indicates
it is based in the United Arab Emirates. HostSailor declined to respond to
requests for comment on whether it was aware of the reports or had taken any
action in response to them.
The case against the activists has
its origins in a clash that unfolded on Jan. 1, 2018, in a village known as
Bhima Koregaon following a memorial event celebrated by Dalits, who occupy the
lowest rung in India’s caste hierarchy. The investigation into the violence,
which left one dead, rapidly expanded into a wider probe of conspiracy against
the Indian state.
The authorities alleged that the clash
was linked to the Communist Party of India (Maoist), a banned militant group
based primarily in the forests of central India. Earlier this month, 22
security personnel were killed in an apparent ambush by militants, the
worst such incident in nearly four years.
The most recent activist to be
jailed in the Bhima Koregaon case is an 83-year-old Jesuit priest named Stan
Swamy. He is the oldest person in India to be arrested on terrorism charges.
Swamy suffers from Parkinson’s disease and requires help to bathe and write
letters, said Joseph Xavier, a priest and close friend. Swamy has spent more
than six months in jail during the coronavirus pandemic.
Swamy lives in Jharkhand, one of
the poorest states in India, where he works for the rights of Indigenous tribal
communities. He has spearheaded campaigns challenging the acquisition of tribal
land and the detentions of tribal youths on flimsy or no evidence. In a video
recorded before he was arrested, Swamy said he and other activists were
being targeted because they had “expressed their dissent or raised questions”
about India’s ruling party.
On a recent phone call from jail,
Swamy’s chief concern was the well-being of his colleagues and the organization
he ran, Xavier said. Even in moments of hardship or pain, Swamy “will not
complain,” his friend said. “That is the kind of person he is.”
Read more:
India’s government is arresting lawyers and activists amid
accusations of plotting to overthrow Modi
He is a prominent anti-Modi intellectual. The Indian government
wants him behind bars.
