Technical evidence submitted in a case against digital rights activists in India has uncovered a new vector of attack against civil society. A report by the U.S. digital forensics firm Arsenal Consulting Ltd., submitted in the “Bhima Koregaon” case, provides details to show that malicious actors gained prolonged unauthorised access to the laptop of one of the defendants, and planted key documents used as evidence against the accused. Notably, several activists subject to persecution in this case as well as those connected with the defendants had already been targeted for attacks using NSO Group’s “Pegasus” malware.
Access Now has helped safeguard the digital rights of at-risk persons since our inception in 2009, and a large part of this work involves helping activists defend themselves against online attacks, including defense against malware and spyware. These deeply troubling findings demonstrate that the scope of targeted hacking is greater than previously recognised, and civil society groups in India and around the world must take urgent steps to guard against it.
How the “evidence” was digitally planted
The Bhima Koregaon case involves 11 prominent Indian human rights activists. The group includes dalit rights activist Rona Wilson, Varvara Rao, an 83-year-old poet, and the prominent academic Anand Teltumbde, as well as a labour lawyer and a Jesuit priest, among others. They all stand accused of “inciting violence against the state” after mass protests in January 2018 led to violence in the streets. They were charged under a stringent anti-terrorism law, the Unlawful Activities Prevention Act, 1967.
The malware was found on Mr. Wilson’s laptop. Arsenal Consulting examined a cloned copy of the laptop, which had been seized by the investigating police. In the first of two reports they submitted to the trial court in February 2021, Arsenal showed that an attacker managed to infiltrate the laptop using Netwire, a remote access Trojan tool. In the second report, the firm reported they found “[no] evidence of legitimate interaction with the additional files of interest on Mr. Wilson’s computer, and that 22 of the 24 files are directly connected to the attacker identified in Report I”.
Arsenal determined that an attacker used Netwire to plant the documents which form the basis of the case against all the accused over a 22-month period prior to Wilson’s arrest in 2019. The documents were saved on a hidden folder that had not been opened on that computer. They were also created using a newer version of Microsoft than was on Mr. Wilson’s computer. Mr. Wilson has therefore approached the Bombay High Court to ask for the formation of a special investigation team to look into the planting of evidence on his computer, and, in the interim, for a stay on the proceedings and his immediate release. Meanwhile, state prosecutors have contested the admissibility of the expert report.
The NSO connection, and what the attacks mean for activists in India and around the world
The power to plant evidence on a device is especially alarming in the context of the rapidly shrinking space for civic dissent in India. Indian civil society is facing government restrictions on NGO operations and funding, and individuals are targeted with surveillance, harassed, and arrested. Many people are targeted through malware on their phones.
In October 2019, WhatsApp revealed that NSO Group, the notorious Israeli surveillance vendor, exploited a “zero-day” vulnerability to target 1,400 individuals across the world. The vulnerability permitted attackers to deploy NSO’s Pegasus spyware, allowing them to extract a user’s private data simply by calling a target’s phone number. Subsequent investigations by Citizen Lab and WhatsApp found that 100 people targeted were members of civil society, including Indian human rights defenders, journalists, and academics, 22 of whom WhatsApp contacted to notify them of the attack. WhatsApp is now suing NSO group in a Washington, DC court.
But the story doesn’t end there. In 2020, Amnesty International and Citizen Lab uncovered another coordinated spyware campaign, this time targeting nine human rights defenders working to help the activists charged in the Bhima Koregaon case. At least three of these persons had also previously been targeted using NSO Group’s Pegasus spyware. In attacks carried out between January and October 2019, the targeted activists received a series of emails with malicious links, which, if clicked, would have deployed Netwire, which enables remote monitoring of their actions and communications. NSO Group maintains that it only sells its equipment to governments, but regardless, Indian law has a blanket prohibition against hacking, and there are no special concessions for state actors.
The illegal hacking must be stopped
The hacking to plant evidence in the Bhima Koregaon case is an escalation of tactics that are not permitted in India. While Section 69 of the Information Technology Act, 2000 allows “surveillance” under certain circumstances, all unauthorised intrusion into a person’s computer is explicitly prohibited under Section 43 of the same act. Mark Spencer, Arsenal’s president, has described the planting of key files on Mr. Wilson’s laptop as “the most serious type of case in digital forensics”. Civil society must take this threat seriously. So too must the governments that have allowed companies like NSO Group to profit from facilitating these attacks.
Access Now and partners have repeatedly called on NSO Group and investors in the company to take responsibility for the use of its products as tools of oppression as well as its clear failure to comply with human rights obligations. Most recently, we sent a coalition open letter demanding meaningful action to address these harms.
Governments must also take urgent action. In a 2019 report, David Kaye, the former U.N. Special Rapporteur on the freedom of expression, called on all nations to “establish an immediate moratorium on the global sale and transfer of private surveillance technology until rigorous human rights safeguards are put in place to regulate such practices and guarantee that governments and non-State actors use the tools in legitimate ways”. Access Now supports this position, and in our 2016 report on government hacking, we had also called for a presumptive ban on all forms of government hacking. We highlighted the danger of hacking to cause damage, including “accessing a file system or database in order to add, delete, or modify data” and flagged the threat of adding files to implicate an individual in a crime. We concluded the report by noting the need for more evidence to show the scope of the threat, and the Arsenal report unfortunately fits the bill.
If you think you are being targeted, reach out
We stand ready to help civil society increase their digital security and defend themselves from attacks. If you are an activist, journalist, blogger, or a human rights defender who believes your digital security is at risk, we encourage you to get in touch with Access Now’s Digital Security Helpline, a free resource for civil society globally. Our team is here for you.